When you log in to a site with Facebook Connect and it prompts you for your email and password, how do you know the site you are viewing is Facebook? This question crossed my mind earlier this afternoon and my conclusion was that there’s little information provided that ensures you are viewing a Facebook page. The only thing that you can see that guarantees you are at Facebook is the URL provided in the browser window (as pictured below).
In the Safari browser you can’t even see the full Facebook URL without clicking on it and scrolling over to guarantee the URL base domain in fact ends in “facebook.com”. This presents a serious risk for Facebook. As more sites begin to support the Facebook Connect standard and the service becomes more ubiquitous, users around the web will become increasingly comfortable with randomly entering their Facebook email and password.
Users could potentially end up at a scammer’s website that asks them to log in via “Facebook Connect” simply by using one of the button images provided by Facebook. The user is then presented with a pop-up window like the one below but instead of it being Facebook’s website, it is a different website that captures the user’s email and password.
An advanced phisher could theoretically set up an actual Facebook Connect application which would eventually log the user in to Facebook. While I haven’t tested such a system, it appears to be possible based on my initial glance at Facebook’s Connect login structure. If you thought the “Koobface virus” presented a significant risk, wait until Facebook Connect becomes ubiquitous and phishers start taking advantage of its ubiquity.
Facebook can resolve the problem though. It would require an advance security layer such as TRUSTe to ensure users that they are definitely visiting Facebook’s site. Implementing TRUSTe (or an alternative system) is not complex and it will help prevent against a future privacy disaster. Facebook should implement this type of system sooner rather than later as the phishers and scammers are increasingly targeting Facebook and probably steps away from creating this type of scheme.
Do you think Facebook Connect is secure or are there definitely phishing risks? Have you had a chance to enable Facebook Connect on your site yet?
Facebook has contacted us with the following statement:
• We’ve always educated user to only input their password if the page is served from facebook.com. This includes Facebook Connect logins, which will open in a browser popup, enabling users to verify the URL comes from facebook.com.
• Other systems require the user to login for each site but, with Facebook Connect, if the user is logged in to Facebook, they do not have to log into remote sites. They will be prompted to simply “Authorize” that site. This should reduce the number of times that a user has to enter their password. Additionally, if a website is asking a user login when it should only need to be authorized, this could help users detect a potential phishing site.
• Phishing is an industry-wide problem that will require industry-wide cooperation around user education, browser improvements, and other security measures to be solved. We’ve been working with many people in the industry to help decrease the risk of phishing and we will continue this commitment.