Facebook discovered a "security issue" affecting 50 million accounts.
According to Facebook,
This allowed them to steal Facebook access tokens which they could
then use to take over people’s accounts
I searched this about, but I couldn't find any single article, how to access Facebook account if you know the access token.
So I couldn't understand this security issue. Can anyone tell me how a hacker can access Facebook account if they know the access token?
Related
I have no idea about how facebook tokens or APIs work, so please excuse my ignorance.
I am trying to get a access token to display my posts to my wall. My website is www.quadscene.co.nz and on the homepage I am trying to display all posts to wall.
I have created a access token using some tools within facebook, but they expire within about 2 hours, these token work fine when selecting the user_posts option or permission, however all other access tokens ive tried do not display posts.
I think its using OAuth.
Is there a way to create a token that will not expire? and has the user_posts permissions?
Thanks in advance!
You need to read the docs to understand how OAuth works and what different access tokens are available.
Specifically, you need to look at the long-lived tokens.
Am I allowed to create an app that only invited people can join?
Or do all apps have to be open to everyone?
You can have a white list for people who are allowed to use your app in your database and ignore any request for other people.
EDIT:
As per the question in the comment section, I will give you more details. I have not quite done exactly this, but I can guarantee you this is possible. I have a website, linked to Facebook and people can log in to the site using Facebook. In my database I am storing the Facebook ID and the Facebook user access token. When a user clicks on the login with Facebook, his Facebook user access token is checked against the database. If the Facebook user access token (which works like a temporary password) expires, it is renewed. However, people are identified by their Facebook ID. I could easily have a white list for Facebook IDs and allow access only for people whose Facebook ID can be found in the database. My project strategy is to get as many users as possible, but I could easily modify this to restrict access for not verified people. Your problem with consistent login probably lies in the fact that the Facebook user access token expires in a few hours. However, that problem is solvable:
if the user has modified his Facebook password, or has not connected to the app, then he will be asked by Facebook for permissions
if the user is no longer logged in, then he will have to log in
if the user's Facebook user access token has expired, then you should generate a new Facebook user access token
finally, you can generate long-term Facebook user access tokens, which last for months.
Read the documentation for details, but keep in mind that things might have been changed at Facebook since the documentation was written, therefore you should not believe everything written there, but should rather test the validity of the most important statements.
I have started on developing a server side application that requires integration with facebook. My needs is an access token that will not expire, but unfortunately facebook has removed the offline_access feature and replaced with a long-live user access token that will last only 60 days.
I realise that there is an Application Access Token that will not expire. When I use it instead of the User Access Token to fetch the feed, I get must less information.
I have read from other sources that as long as relevant permissions are delegated, such as read_stream is given, using the application access token should allow the server-side application to access the users information that accepted the facebook application.
Am I mistaken ? Can anyone help to clarify ? Thanks
Thanks
Excerpt from: https://developers.facebook.com/docs/opengraph/using-app-tokens/
While an App Access Token is largely for the purposes of publishing information back to Facebook on behalf of the user, there is a limited set of information that can be retrieved from Facebook using an App Access Token.
Basic Profile Info of a User (ID, Name, Username, Gender)
A User’s Friends and their IDs
Permissions granted by the User to your App
So there is a limited set of info you can get using an app access token. So you probably don't want to use it to get the user's feed.
Is Facebook graph API enough secure to store and retrieve data? Apparently, it's quite easy to access information of some unknown person with appropriate query. I would like to know is there any security threat of making personal information public? If anyone has any idea please share.
All depends on the permission.Here is the link for facebook app permission.
Permissions
It works.
Thanks
user has to give you permissions first before you're allowed to access his private informations.
To store data -> what do you mean? It's not storage engine
To retreive data -> PHP sdk uses https protocol so yes, it's secured
The only information you can get from the graph is public info, or content which you have a valid access token for.
If you have stored a user's Facebook ID, you can still only access their information when you have a valid access token. That could either be obtained by having the user authenticate with Facebook, or by requesting the offline_access permission from the user. With offline_access, the life of the access token is dramatically extended, meaning that you can make API calls on the users behalf while they are offline, but you can still only perform actions that the user has granted permission for.
Whether you should make your personal information public on social networks and what security ramifications sharing your personal information has is a whole other discussion, and not really suited to this site.
As long as you have the permission from the user to access his profile, you can view all the information which USER WANTS you to see.
I have a website that takes care of getting a Facebook token through Graph / OAuth. At that point, the website can post to the user's Facebook wall with no problems.
Is it possible to send this token to another website so the remote website can start posting the user's Facebook wall without re-logging in the user?
Access tokens are granted per APP ID, not per domain
That being said, unless your access token includes the offline_access permission, access tokens are bound to the current session so even if you managed to "pass" it to another domain, it wouldn't work if the user was logged out (of Facebook).
So, yes it should be possible under the right circumstances.