tag:blogger.com,1999:blog-7718396670592535935.post8879956103402672889..comments2023-05-28T07:23:55.111-07:00Comments on Security and Tech: A serious OAuth security hole in Facebook SDKYitao Yaohttp://www.blogger.com/profile/05865982079791495147noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-7718396670592535935.post-17811083053561902242011-01-03T11:13:03.049-08:002011-01-03T11:13:03.049-08:00Hi,
I agree with you on facebooks-weak-connect-li...Hi,<br /><br />I agree with you on facebooks-weak-connect-library with such loophole. I found that when i need to implement the same thing (External Sign in) and i was looking that library as a reference(i would surely hav been kicked off from my job if they(seniors) would found that)!!<br /><br /><br />But still question remains,<br />Webview : we cant use as it can be intercepted<br />but can we use Iframe like thing in it so that its form content wont be accessible to Script?<br /><br />So how can we achieve this security in Mobile Apps??<br />Can we do like this "invoke Sign-in Pattern as sub-activity" ? so only activity thread(app) will get access to only result of the sub-activity(sign-in)??<br /><br />Do we(service providers) have to distribute secured library(for sign in) ..i don't know how to do that??<br /><br />Please guide me sir where to focus, I'm in great confusion!!<br /><br />Thanking you with anticipation!!<br /><br />Regards,<br />SagarUnknownhttps://www.blogger.com/profile/04225737187524817788noreply@blogger.comtag:blogger.com,1999:blog-7718396670592535935.post-73965919572638551302010-12-11T11:41:34.179-08:002010-12-11T11:41:34.179-08:00Yitao, I am sort of in agreeance with you. Not so ...Yitao, I am sort of in agreeance with you. Not so much as that I can see a glaring security hole that will be exploited easily. Rather, because I wish everybody was on the same page.<br /><br />I think you are right about the Facebook method being to relaxed. If it is exploitable they might pay the price, but nobody will be the wiser as to why. They can blame anyone.<br /><br />I think we are lucky in sme instances that these major companies are making some accomodations, but based on the inability for everyone to stay ojn the same page, I have to wonder how long it will last.MrGammahttps://www.blogger.com/profile/00962275927543882107noreply@blogger.comtag:blogger.com,1999:blog-7718396670592535935.post-78094901744564143482010-11-17T09:55:31.433-08:002010-11-17T09:55:31.433-08:00Hi Luke,
Thanks for the response. You are right (a...Hi Luke,<br />Thanks for the response. You are right (as I said also in my blog) that no one can prevent hacker to provide fake login form. However, as long as there is a clear differentiation between legit login form and faked one, the user community will have power to expose any evil app.<br /><br />It is super important that all OAuth providers (with their SDK) should only present user one and only one choice in regards login form which had confidentiality built-in (such as user’s own web browser).<br /><br />Good single sign-on will reduce the exposure of this MITM attack. However, it still permits “undetectable” hack app if embedded WebView was also used by legit app and SDK.<br /><br />I am glad to read your following comment on Facebook Developers Forum:<br /><br />“Also, to anatolyl's point about the fallback for single sign on: it's true that on Android, the fallback now relies on an embedded iframe. However, on iPhone the fallback goes to the full browser as suggested. We ran into some technical issues making that work on Android but we're hoping to resolve those soon.”<br /><br />I hope to see your new Android SDK with correct implementation soon.<br /><br />I am singling out Facebook SDK for this blog is simply due to the fact that many other companies follow Facebook’s approach. They will point to Facebook’s usage of embedded WebView as their defense about the security risk level.Yitao Yaohttps://www.blogger.com/profile/05865982079791495147noreply@blogger.comtag:blogger.com,1999:blog-7718396670592535935.post-34979094549084381882010-11-17T00:30:47.730-08:002010-11-17T00:30:47.730-08:00Hi Yitao,
I'm an engineer on the Facebook Pla...Hi Yitao,<br /><br />I'm an engineer on the Facebook Platform team and a contributor to the OAuth 2.0 spec.<br /><br />We recently released single sign on for iPhone and Android (http://www.facebook.com/blog.php?post=446167297130). This simplifies the login flow and uses intents, similar to what you've described with the protocol scheme handler. One of our goals with this is to reduce the number of times that users will have to enter their Facebook passwords. As applications adopt single sign on, the number of applications which ask for your password individually should dramatically decrease.<br /><br />Even if many apps use a browser for sign on, what you described is still technically impossible to prevent. It's worth realizing that any native application - whether on desktop or mobile - can display anything it wants on screen, and thus potentially phish users. This is not something that OAuth is intended to protect against directly. Rather it tries to reduce the number of different scenarios where a user would be expected to enter their password.<br /><br />As far as the HTTPS login form goes, it's a great idea and we're working on that.Luke Shepardhttps://www.blogger.com/profile/06674050424143007611noreply@blogger.com