Facebook Tells Some Developers They Have 48 Hours to Fix Authentication Data Leaks

Facebook has sent an email to what it calls a “very small percentage of the developer community” informing them their apps are suspected of leaking authentication data to third parties, and that they have 48 hours to fix the leaks or be subject to enforcement. They can become compliant by switching to OAuth 2.0, or by adding an interstitial page the removes the authentication data as a stop gap before the mandatory migration to OAuth 2.0 on September 1st.

However, several developers have posted to the Facebook developers forum that they have checked their apps and found no data leaks. This indicates that a widespread panic may be unnecessary because some that received the warning may not actually be in violation of policy and may not need to make any changes.

The situation appears to be connected to the issue that developers using an older authentication system were purposefully or inadvertently sharing access tokens for user data with third-parties such as ad networks. This violates Facebook’s Platform Policy, though the actual negative impact to users is limited. In response, Facebook accelerated its app security roadmap, mandating a move to OAuth 2.0 which prevents the leak by September 1st, and requiring developers to attain an SSL certificate by October 1st.

Some are reporting the the email is inciting a small-scale panic amongst developers, though we’re seeing more of a state of confusion. Since the email appears to have been sent to developers singled out by Facebook’s automated system, and those that are violating policy may have done so in one of several ways, the notification doesn’t indicate exactly what developers have done wrong. Many suspect they received the message in error, and they aren’t in violation.

Facebook recommends developers use an HTTP proxy or monitor such as Fiddler or Charles to check to see if the HTTP Referrer Header is passing access tokens. If they find they are in fact violating policy, they can switch to OAuth 2.0 early. Those unsure of whether they violate policy should consider this option because they’ll have to migrate to the newer authentication system eventually. However, this may be a considerable amount of work for a relatively soon deadline.

Alternatively, developers can add an interstitial page that clears authentication data as per the Legacy Connect Auth documentation. This should be a quicker solution for those looking to ensure compliance before the deadline. If developers don’t do either and are found to be violating policy after the deadline, their apps may be suspended.

By setting a fast-approaching deadline, Facebook is taking a hard line against developers who are violating policy, either accidentally or willfully. This will send a message that the site is serious about protecting users. However, the short period of time to make changes and the potential that some developers may have received the worrisome message when they haven’t done anything wrong could hurt Facebook’s relations with the developer community.

Recommended articles