Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Facebook Login Security
Search
Kien Nguyen
November 01, 2017
Programming
0
48
Facebook Login Security
Kien Nguyen
November 01, 2017
Tweet
Share
More Decks by Kien Nguyen
See All by Kien Nguyen
Introduction
kiennt
0
43
Introduction to Django v2
kiennt
0
98
Clean code
kiennt
8
390
Introduction to Django
kiennt
0
95
Unix_Process.pdf
kiennt
2
7.9k
Happiness
kiennt
1
380
RTMP and RTMPE protocols
kiennt
2
550
Other Decks in Programming
See All in Programming
障害対応を起点としたもっといい開発と運用のサイクル作りのためにできること / Hatena Enginner Seminar #29
polamjag
0
380
ServerAction で Progressive Enhancement はどこまで頑張れるか? / progressive-enhancement-with-server-action
takefumiyoshii
6
420
CA.swift19 恋するAIアプリ開発の裏側
oskmr
0
380
SIMD Parallel Programming with the Vector API
josepaumard
0
230
Anthropic Cookbook のおすすめレシピ
schroneko
7
1.1k
新宿ダンジョンを可視化してみた
satoshi7190
3
390
はてなにおける CSS Modules、及び CSS Modules に足りないもの / CSS Modules in Hatena, and CSS Modules missing parts
mizdra
7
970
What We Can Learn From OSS
inouehi
0
440
MicrosoftのPlatform Engineeringガイドを読んで実際になにかやってみた
ymd65536
1
510
Azure OpenAI Serviceのプロンプトエンジニアリング入門
tomokusaba
3
870
PostmanでAPIの動作確認が楽になった話
h455h1
0
180
"config" ってなんだ? / What is "config"?
okashoi
0
320
Featured
See All Featured
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
20
1.8k
4 Signs Your Business is Dying
shpigford
176
21k
Designing for Performance
lara
601
67k
Statistics for Hackers
jakevdp
790
220k
Git: the NoSQL Database
bkeepers
PRO
423
63k
Into the Great Unknown - MozCon
thekraken
14
1k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
79
43k
Fireside Chat
paigeccino
22
2.6k
For a Future-Friendly Web
brad_frost
172
9k
BBQ
matthewcrist
80
8.8k
Building Applications with DynamoDB
mza
88
5.6k
Being A Developer After 40
akosma
66
580k
Transcript
Securing Login With Facebook API for Mobile Application
kiennt.com Kien Nguyen Lead Backend Engineer github.com/kiennt
Why I choose this topic
I hacked
Facebook Login Flow
Facebook Login Flow
Use client to get facebook data graph.facebook.com/me fb access token
1
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2 facebook_id 3 your server
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2 facebook_id 3 your server your database get or insert base on facebook_id 4
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2 facebook_id 3 your server your database site access token 5 5 get or insert base on facebook_id 4
fake facebook_id 3 your server your database site access token
5 5 get or insert base on facebook_id 4 attacker Attacker only need to know facebook_id
Never trust data from client!
Use server to get facebook data your server fb access
token 1
Use server to get facebook data your server fb access
token 1 get user data 2
Use server to get facebook data your server fb access
token 1 graph.facebook.com/me get user data 2 user facebook_id 3
Use server to get facebook data your server fb access
token 1 graph.facebook.com/me your database get user data 2 user facebook_id 3 get or insert 4
Use server to get facebook data your server fb access
token 1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4
Attacker use fake access token your server fake access token
1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4 attacker
Attacker use fake access token your server fake access token
1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4 attacker other fb application a valid facebook token
Always validate client data
How to fix? your server fb access token 1 graph.facebook.com/me
your database site access token 5 6 get user data 3 user facebook_id 4 get or insert 5 graph.facebook.com validate fb access token 2
How to fix? https://developers.facebook.com/docs/facebook-login/access-tokens/debugging-and-error-handling GET /debug_token?input_token={input-token}&access_token={access-token}
Conclusion Do not use client to get facebook user data
Use /debug_token to check access token is from your application
Remember Do not use client to get facebook user data
Use /debug_token to check access token is from your application TRUST CIRCLE IS HIRING
None