I have searched for "public IP" and read all articles shown. I have a question that I cannot answer with my search.
We have a web application running on a dozen kiosks installed at a national attraction. The FB API is called when users would like to post their personal picture (taken by our system) to FB. We do not allow the user to augment the posting in any way, only log in.
Is there any way to register a physical or IP address as "trusted" so that the continual flow of guest users at this attraction do not run into the "unknown IP address" security instance? We allow guests to post tens of thousands of photos to FB on a continual basis. This security hurdle causes 50% of users to abandon the effort to post to FB.
We have a three year history with the same hardware running at same location running through millions of visitors who want to post to FB. Fixing this security hurdle somehow would double the number of posts to FB. Thank you. Mike
Related
Once, we were having a conversation with our computer science professor about Wireshark and he told us, how he previously used it in a class and even saw facebook chats of some of his students. As I know, facebook is encrypted, so does anybody have an idea how he was able to do that?
Yes. Prior to the release of the tool FireSheep, Facebook, LinkedIn, Twitter, and other prominent social media platforms did not support TLS/SSL for all connections. In fact, companies generally claimed that the processing overhead would be too high, limiting their ability to serve customers effectively.
When FireSheep was released, most major social networking providers completely switched to TLS, or at least made it available for all requests, within weeks. Your professor likely did his demonstration before this change was made.
If you're unfamiliar with FireSheep, it was a Firefox browser plugin that allowed you to automate the collection of other user's session IDs from network traffic (via a network sniffer), allowing you to instantly impersonate any user (whose network data you could see) on major social media platforms.
I have two-step authentication on facebook. I just tried to log in from my home PC but didn't write second step code.
I've got notification that somebody (me) was trying to login to my account and location was so precise (within 2 meters).
I wondered how facebook detects location so precisely only based on IP?
Today geolocation is in the core business of Marketing companies, there's a very developped market of customer data, so tons of mobile apps and services collect data such as usual IP addresses, personal information, interests, locations.
That information gets reselled to data brokers, aggregated, corrected. And then Facebook or others can buy that data, merge it, implement corrections and so and get tables for matching IPs and locations that are not public, it seems.
However they offer a high level API to perform market targeting which seems to use that data:
https://developers.facebook.com/docs/marketing-api/buying-api/targeting#location
In your case it was precise because they may have a good dataset based on your privacy settings experience, not only with facebook but with other geo-located apps. In my case their guess is wrong by hundreds of Km, because I was behind a corporate proxy.
How is a location determined when showing restricted posts from a page's wall?
Here is the configuration option I am talking about (on a page's settings page)
My scenario is: I have a sever based in the UK which is using the user's auth token to show posts which are gated. Obviously I would like US based users to see these posts.
Will it take into account
My server's IP address?
The location the user has specified on their profile?
The IP the user used to sign up with? --- or something else?
To clarify I have set my location in my profile to be a place in the US, but don't see the posts (when calling the API, or when just viewing the page)
Also, when I log into my UK based account from the US, I still don't see the posts (from API, or from just viewing the page)
Oddly enough, when logged in from the US server, Facebook asks me to validate my account and suggests a UK based mobile number (+44) - could be related to the fact I signed up from the UK?
I have no way of creating an account that is US based because I don't have a US based mobile I can verify with.
I've been doing some testing on this.
I'm in Spain but wanted to see a page I'd restricted to UK only.
I set my current location and home town to London: Did not work
I verified my UK phone (roaming): Did not work
Used a VPN service (hidemyass) to give me a UK IP: Did not work
With the account set like that, no other changes. I called a mate and got him to login to the account in the UK and the page became visible.
So can assume that settings of the account do not affect, and that FB are detecting VPN based traffic - maybe from database list of datacentre IP addresses.
And that it uses a (non-datacentre) IP address detection to determine if you are in this country. Also follows that if you travel abroad you won't be able to see content even if you do "live" in that country. I'm guess if you 'like' the page, then travel you would still be able to see it.
In my physical store, I have a few tablets available in which I use to obtain shoppers' email addresses. I'll leave them up on a simple web page where they just enter their email address to join my companies email mailing list.
I would like to add the ability for these individuals to also 'Like' my company on Facebook without actually logging into Facebook. My thoughts are that they will not want to log into Facebook via a shared machine due to security concerns and also the added time to log on will deter them from even adding their email address to begin with.
Here is what i am thinking...I was hoping to send the 'Like' update to their account based on the email address that they provided without actually loggin on. Can this be achieved?
Thanks for your time.
No, the user must be logged in to send requests to facebook on their behalf
So there are definitely many tutorials out there regarding how to integrate various individual social network authentication/registration into existing user accounts. But the scenario I can't seem to find out much information about is if a user signs into your account with different social network credentials. For example:
Scenario #1
User registers on site using site's authentication.
User then signs in/registers on site using Facebook Connect.
User then signs in/registers on site using Twitter.
How do I integrate all of these into one account?
Obviously once a user is registered, they can add other social network associations in the account settings pages. But I am more concerned if they register via the other social network not remembering they are already setup.
My general thoughts are trying to figure out a way to use the "username" or email to try and guess and present the user a way to combine accounts right there.
Anyone have any thoughts?
following up -
if your users can't remember that they've signed up previously, well, best of luck to them in general ;)
much as you described, i'm planning on giving users the option to link additional accounts once they have signed in by one means or another.
but as far as cross-checking, there's only so much you can do. many social network APIs do indeed provide email addresses (once you've busted in through OAuth) but these may be accessible only if a user has elected to make his/her address public, which is not guaranteed.
also not guaranteed is that the user used the SAME email address for each social network account, so even if you manage to retrieve an address it may or not be of any use to you.
finally, if you find matching email addresses via such means, it might be advisable to prompt the user to link accounts rather than assume he/she wants this done automatically. some people like to maintain multiple personalities. i.e. "it looks like you are also signed up with twitter - do you want to link your accounts? it will make your life seem worth living."
you might consider offering incentives to link user accounts or to provide an email address (up to you of course to figure out what these might be, based on the functionality of your website).
solution i am working on, database-side, is to maintain multiple accounts and then if link information is discovered by various means, said link is indicated in a lookup table.
an alternative is once you find a link, attempt to combine all relevant entries for the multiple accounts into one account entity - all i can say about this latter approach is that i would do so with caution as there could be a formidable level of complexity depending on the user's activity level and the complexity of your database schema.
in my (mental/actual) namespace a user who registers the old-fashioned way has a 'standard' account and one who uses a social network has an 'alias' account. then the goal becomes to define where the alias is supposed to point, i.e. create the lookup such that a subsequent login via either means retrieves the relevant information for both accounts (with a preference for displaying personal data for the 'standard' account).
btw i figured out how to make twitter OAuth behave since my last post - you can look at my other answers for details if you're interested.
JB
hi matt,
i'm working on the same problem right
now.
assuming the user starts with regular
site account (which is not
necessarily safe to assume if he sees
all the pretty "connect with XXX
network" buttons!!!), you can use
either OAuth or the javascript APIs
(facebookConnect or #anywhere -
haven't fully figured out the latter
yet and i'm not sure I recommend it as
I don't think it provides as rich an
API as do the backend libraries) to
login to the other sites.
the APIs should return certain
information after a successful
login/redirect from the social network
- such as the user ID and an ACCESS TOKEN which you can then store in your
database in some capacity associating
your 'actual' application user with
the ID of the social network.
when the user returns to the site, you
can then
1 verify cookies set by the social
network services (various schemes
typically verifying a signature, based
on sha1 or md5 hash of your
application data - by which i mean the
data you get when you register your
app with twitter/facebook, typically a
consumer key, application ID, etc. -
with the received cookies) so you know
the user has logged in with the social
network
2 find your database entry association
as described above
3 login your user manually based on
the assumption that facebook/twitter
connection is secure.
caveat: this is only as secure as your
implementation (or as secure as
facebook/twitter's implementations, if
you prefer...)
although twitter's OAuth does not
currently seem to work quite right,
their general description of the
process is pretty informative:
http://dev.twitter.com/pages/auth
good luck.
J
I have been contemplating adding FB auth to our app, but we know that our returning users might click it and complete checkout for a new item, and then be surprised to not see any of their existing orders. To solve this, when a user clicks the 'Login with Facebook' item, we are using that click to fire a dropdown menu with two options:
[ Login with Facebook ]
[ Create new account ]
[ I have an account ]
If the user clicks 'I have an account' we send them to FB auth and return email from FB to our app. We compare that email to our existing users. If we match, we add the FB creds to the user. If no match, we throw an alert:
The email you have with FB does not match any of our accounts. To log in to your existing account, login with your email below, or update the email in your Facebook account
This allows the user to create a whole new account, if they want to keep them separate, without needing a new email service. While this is an edge case, it is a feature.