Will exposing app specific Facebook friend user IDs in client side source code expose my app/my apps users to any exploitable security/spam risks?
Example where data is exposed:
I'm requesting the list of facebook friends using the user_friends permission with the graph API. This list returns a name and app specific user ID for each friend.
I allow a user to select a friend which will send them an in-app invite.
The best way to identify this friend is the app specific user ID which means it will appear in my client side source code.
Exploits I can think of:
Using a sending message dialog link (https://developers.facebook.com/docs/sharing/web#sendingmessages), might allow someone to use my app id (which can be easily found by logging in via facebook) and an exposed user ID to prepopulate the to field to pretend to be my app trying to spam their friends.
Workaround to exposing data:
Store the friend list in a db table and generate a new harmless ID for each relationship.
I'd rather not do this as I'll have to update this list every time as friend lists will change regularly.
It is perfectly safe to expose those App Scoped IDs on the client. You can only prepopulate the send dialog with one single ID, and the ID must be a friend of yours. So you can´t really exploit it.
IDs are safe in general (App ID, User ID, ...). You only need to be careful with your App Secret and Access Tokens.
Related
I want to allow user to tag it's friend only once. however taggable_friends endpoint provides the temporary token id which does not persist on different api calls. I don't want Facebook id of the friend but any id that would be persistent whenever I fetch this endpoint.
Cleaning up unanswered threads: As WizKid commented, it is not possible to identify a user with taggable_friends, because the token is only valid for a short time and it changes. You could only match the name of the user, there is no other way. It´s not 100% unique, of course - because the user could have 2 friends with the same name.
On custom audience, there is the possibility to upload a Facebook ID list for creating an audience... After the Graph API v2.0 migration, when we won't have access to Facebook ID anymore, how can i upload the user id list? Can i use a app_scoped_id based list?
If someone publishes something on my fanpage, and i get his post using Graph API, will i be able to use his id on custom audience? The official documentation don't make itself clear when explaining about the "expiring process" of a app_scoped_id. As far as i understood, when someone authorizes an application, his app_scoped_id will be "permanent", but if there is no user interaction/authorization with my application, the app_scoped_id CAN expire in 24 hours... is that right? If so, how can i use a list of ids on custom audience if they expires?
Thank you!
UPDATE
From https://developers.facebook.com/docs/apps/upgrading#upgrading_v2_0_user_ids:
For users who have not logged into your app, the user ID may change depending on the version of the API that you call. In v1.0 of the API users who have not logged into your app will be referred to by their original Facebook user ID, whereas in v2.0 they will be referred to by an app-scoped ID.
We've added new API endpoints that allow you to tag and invite friends who don't use your app. These APIs return tokens which may be used to generate custom interfaces for tagging and invitations. Those tokens aren't meant to be cachable and we make no guarantees that they will be stable beyond 24 hours from the time the API response containing them was received. They aren't the same as either the IDs used on data for people not logged into your app nor the same as the app-scoped IDs.
You are confusing the app-scoped IDs with temporarily generated IDs. App-scoped IDs will not change over time. Temporarily generated IDs are meant to help with inviting and tagging friends who have not authorized an application and as such they will not remain the same over time.
In advent of the new V2 Facebook Open Graph API, I need to make note of the logged in users 'App-Scoped' user ID, in order to register the id with Parse in order to receive PUSH notifications.
However, as the logged in user I get the Facebook ID instead.
Haven't found anything in the docs to solve this problem yet, so thought I better ask here.
If you created your facebook application before the introduction of graph API 2.0, It will continue to receive the canonical facebook user ID
If you created your facebook application, after the introduction of graph API 2.0, It gives you app scoped id instead of the canonical id.
In this case I assume your application is quite old.Therefor create a new app and it will give you the app scope id.
In facebook document:
"The id of this person's user account. This ID is unique to each app
and cannot be used across different apps. Our upgrade guide provides
more info about this." You only get id with each apps.
more information in here: facebook.developers
The "Facebook ID" as you call it IS the App-scoped User ID.
See https://developers.facebook.com/docs/apps/upgrading#upgrading_v2_0_user_ids
The id you get from the api's is an opaque string, and you should use it as such.
If the user has already granted your app access on v1, then your app will continue to receive the same id.
The old users who have registered keep receiving the canonical ID from Facebook for those users, and new users are getting the new scoped ID. Although it is working fine as a long integer, I suggest to change the long field for a string field (unless you already treat it as a string), because we cannot know what Facebook will send here in the future. To keep your code mainly unchanged, create a new internal user id long integer which will be the one your code is already using, and relate it with the string ID from Facebook, which is canonical or scoped, depending if the user registered before or after the migration, and which you will have to manage only for logins, requests, open graph stories, etc.
This way you have not worry about canonical or scoped id EXCEPT one case. Everything works fine, except we found a problem, and maybe somebody can correct me and so help me to solve this: when a new user accept a invite request from an existing user, when your app reads the ID of the sender of the request, I found that Facebook gives you the new scoped id ALWAYS, no mater if the referrer is old or new user. This way, if a user registered before the migration, you have stored the canonical ID, and later, you read a request from this user accepted for a new one, you get the scoped id from the old user, but what you have stored is the canonical one! As result, old users can no more invite new users properly! If anyone knows how getting canonical ids from requests sent for old users, or knows how to obtain the scoped ids for the existing users with canonical ids (to store the new scoped ids in the database) it would be very helpful to hear their suggestions.
I am developing an app in which I want a user (Alice) to send a list of few of her friends to one of her other friends (Bob). Bob is not a friend of the people on Alice's list.
The list that will be displayed to Bob will contain only public data that can be queried from facebook by the ids of the friends on the list. Meaning, I will only save the ids of the friends.
Is what I'm planning in accordance with the Platform Policies? and particularly with sections 2.4:
A user's friends' data can only be used in the context of the user's experience on your application.
and 2.11:
You cannot use a user’s friend list outside of your application, even if a user consents to such use, but you can use connections between users who have both connected to your application.
If you provide that information inside your app context I see no problem... Meaning If in your app you sugest the Alice Friends to Bob you'r OK.
It's been done time and time again...
Seems like you may be looking for Facebook's friend suggest dialog, which is part of their API. Facebook will suggest and send a friend request on your behalf.
https://developers.facebook.com/docs/reference/dialogs/friends/
I want to get a list of all users (even if they are my friends or not) who are using my facebook application. Is this possible? If so, how?
And another quick question if we're still here :) Assue I have a facebook id of a person, can I retrieve his name by using it?
I don't believe that you can get a list of all the Facebook IDs of users of a particular application. There doesn't appear to be a possible query for this based on an examination of the FQL tables, probably due to performance and privacy reasons. Generally the presumption is that you maintain a local list of users in your own application, and correlate them to Facebook via their ID, so you would already have all these IDs.
To answer your second question though, yes, that is definitely possible. The Facebook API provides both the users.getStandardInfo and the users.getInfo methods, both of which take user Ids and return information about the user, including the name. users.getInfo can even be used without a session key to just get the name of the user.