Facebook is telling developers today to plan to migrate to newer security standards on the platform — a mostly-planned migration whose roadmap was accelerated because of a data leak discovered by security firm Symantec. Developers will need to migrate to the OAuth 2.0 open standard by September 1 of this year, and they’ll need to have obtained an SSL certificate (not a straightforward process) by October 1.
The security issue was that some applications that used an older authentication system could have shared access to users with third parties, which is conceptually similar to the leaked user identity numbers issue that got so much attention last fall. In this case, older Facebook iframe-based applications could first ask users for permission for actions such as accessing friends lists or posting to the user’s profile walls, as well as the ability to access their profile when they were offline. Facebook would then send back a permission token to the app, in an insecure format that might then be shared (intentionally or not) with others, such as with advertising networks to use for better ad targeting.
It’s not clear what the scope of the problem is. Symantec, which sells security software and so has a stake in there being problems to solve, estimates that more than 100,000 applications had this problem as of last month. It’s not clear how many apps have been leaking tokens, nor for how long.
In response, Facebook reiterates a variety of security steps it is taking, and it also says it has not seen evidence of the tokens being used in a way that violates its policies (which don’t allow third parties reselling data).
The real-world implications of the issue appear to be this: a subset of users who use apps (some users don’t), who also used apps that were leaking data, may have provided a set of permissions that possibly exposed information and access points to unknown parties. So, without more evidence, probably not that terrible. Or as security researcher Joey Tyson summed up earlier today: “Facebook cred leak: 1) Yrs old, 2) not passwords, 3) not OAuth-specific, 3) hard to fix, 4) has caveats, 5) FB monitors, 6) fix in progress.”
In any case, here’s the developer roadmap for the changes, via the company developer blog post today:
- July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
- September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
- October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.