Thoughts on Facebook Application Security Issue
I want to share my quick thoughts on the Facebook Application Security issue that has been publicized by Symantec and picked-up by the media in a frenzy. The Symantec blog post that describes this flaw is here:
Anyone using the Syndicruit Facebook App is not impacted by the security flaw described by Symantec. We've been using the OAuth 2.0 authentication system since November of last year, so the "access token" or "spare key" (as Symantec describes it) is never exposed and never at risk. Also, while Symantec is bringing this security flaw to the forefront now, the problems with the old Facebook authentication system has been well understood and discussed for a while and Facebook has been proactive about addressing it. Specifically, the two sources of the security problem (as described by Symantec) are: exposed access tokens in the URL, and information leaking through the referrer HTTP header. Both of these have already been addressed with Facebook's OAuth 2.0 authentication system. Unfortunately, older Facebook Apps that are still using the old authentication system are still impacted by this security issue, so I hope they upgrade as soon as possible. So while the security stories sound doom and gloom for Facebook Apps, all modern Facebook Apps (the Syndicruit Facebook App included) are safe from the problems described by Symantec. So you can continue to use our app feeling confident that your information is secure.
If you have any questions about this, please feel free to send me a note.