Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Facebook Login Security

Avatar for Kien Nguyen Kien Nguyen
November 01, 2017
Programming
0
55

Facebook Login Security

Avatar for Kien Nguyen

Kien Nguyen

November 01, 2017
Tweet

More Decks by Kien Nguyen

See All by Kien Nguyen
Introduction
Avatar for Kien Nguyen kiennt
0
51
Introduction to Django v2
Avatar for Kien Nguyen kiennt
0
100
Clean code
Avatar for Kien Nguyen kiennt
8
410
Introduction to Django
Avatar for Kien Nguyen kiennt
0
110
Unix_Process.pdf
Avatar for Kien Nguyen kiennt
2
8.2k
Happiness
Avatar for Kien Nguyen kiennt
1
460
RTMP and RTMPE protocols
Avatar for Kien Nguyen kiennt
2
650

Other Decks in Programming

See All in Programming
HTTPプロトコル正しく理解していますか? 〜かわいい猫と共に学ぼう。ฅ^•ω•^ฅ ニャ〜
Avatar for ♛Heitor Hirose hekuchan
2
680
副作用をどこに置くか問題:オブジェクト指向で整理する設計判断ツリー
Avatar for Koya Masuda koxya
1
600
Oxlint JS plugins
Avatar for kazupon kazupon
1
840
AWS re:Invent 2025参加 直前 Seattle-Tacoma Airport(SEA)におけるハードウェア紛失インシデントLT
Avatar for tetutetu214 tetutetu214
2
110
CSC307 Lecture 04
Avatar for Javier Gonzalez-Sanchez javiergs
PRO
0
660
AIと一緒にレガシーに向き合ってみた
Avatar for nyafunta9858 nyafunta9858
0
180
なるべく楽してバックエンドに型をつけたい!(楽とは言ってない)
Avatar for HIBIKI CUBE hibiki_cube
0
140
AI によるインシデント初動調査の自動化を行う AI インシデントコマンダーを作った話
Avatar for azukiazusa azukiazusa1
1
700
AI Schema Enrichment for your Oracle AI Database
Avatar for thatjeffsmith thatjeffsmith
0
250
0→1 フロントエンド開発 Tips🚀 #レバテックMeetup
Avatar for 弁護士ドットコム bengo4com
0
550
AI Agent Tool のためのバックエンドアーキテクチャを考える #encraft
Avatar for izumin5210 izumin5210
6
1.8k
「ブロックテーマでは再現できない」は本当か?
Avatar for Takashi Kitajima inc2734
0
870

Featured

See All Featured
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
Avatar for MADOX madoxten
57
50k
The Limits of Empathy - UXLibs8
Avatar for Cassini Nazir cassininazir
1
210
Performance Is Good for Brains [We Love Speed 2024]
Avatar for Tammy Everts tammyeverts
12
1.4k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
74
11k
Dealing with People You Can't Stand - Big Design 2015
Avatar for Cassini Nazir cassininazir
367
27k
New Earth Scene 8
Avatar for Sydney Stone popppiees
1
1.5k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
SEO Brein meetup: CTRL+C is not how to scale international SEO
Avatar for Linda Hogenes lindahogenes
0
2.3k
Why Mistakes Are the Best Teachers: Turning Failure into a Pathway for Growth
Avatar for Umar Saidu Auna auna
0
51
Marketing Yourself as an Engineer | Alaka | Gurzu
Avatar for Gurzu gurzu
0
130
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
59
6.3k
DevOps and Value Stream Thinking: Enabling flow, efficiency and business value
Avatar for Helen Beal helenjbeal
1
90

Transcript

  1. Securing Login With Facebook API for Mobile Application

  2. kiennt.com Kien Nguyen Lead Backend Engineer github.com/kiennt

  3. Why I choose this topic

  4. I hacked

  5. Facebook Login Flow

  6. Facebook Login Flow

  7. Use client to get facebook data graph.facebook.com/me fb access token

    1

  8. Use client to get facebook data graph.facebook.com/me fb access token

    1 user ’s facebook id 2

  9. Use client to get facebook data graph.facebook.com/me fb access token

    1 user ’s facebook id 2 facebook_id 3 your server

  10. Use client to get facebook data graph.facebook.com/me fb access token

    1 user ’s facebook id 2 facebook_id 3 your server your database get or insert base on facebook_id 4

  11. Use client to get facebook data graph.facebook.com/me fb access token

    1 user ’s facebook id 2 facebook_id 3 your server your database site access token 5 5 get or insert base on facebook_id 4

  12. fake facebook_id 3 your server your database site access token

    5 5 get or insert base on facebook_id 4 attacker Attacker only need to know facebook_id

  13. Never trust data from client!

  14. Use server to get facebook data your server fb access

    token 1

  15. Use server to get facebook data your server fb access

    token 1 get user data 2

  16. Use server to get facebook data your server fb access

    token 1 graph.facebook.com/me get user data 2 user facebook_id 3

  17. Use server to get facebook data your server fb access

    token 1 graph.facebook.com/me your database get user data 2 user facebook_id 3 get or insert 4

  18. Use server to get facebook data your server fb access

    token 1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4

  19. Attacker use fake access token your server fake access token

    1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4 attacker

  20. Attacker use fake access token your server fake access token

    1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4 attacker other fb application a valid facebook token

  21. Always validate client data

  22. How to fix? your server fb access token 1 graph.facebook.com/me

    your database site access token 5 6 get user data 3 user facebook_id 4 get or insert 5 graph.facebook.com validate fb access token 2

  23. How to fix? https://developers.facebook.com/docs/facebook-login/access-tokens/debugging-and-error-handling GET /debug_token?input_token={input-token}&access_token={access-token}

  24. Conclusion Do not use client to get facebook user data

    Use /debug_token to check access token is from your application

  25. Remember Do not use client to get facebook user data

    Use /debug_token to check access token is from your application TRUST CIRCLE IS HIRING
  26. None