Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Facebook Login Security
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
Kien Nguyen
November 01, 2017
Programming
0
55
Facebook Login Security
Kien Nguyen
November 01, 2017
Tweet
Share
More Decks by Kien Nguyen
See All by Kien Nguyen
Introduction
kiennt
0
51
Introduction to Django v2
kiennt
0
100
Clean code
kiennt
8
410
Introduction to Django
kiennt
0
110
Unix_Process.pdf
kiennt
2
8.2k
Happiness
kiennt
1
460
RTMP and RTMPE protocols
kiennt
2
650
Other Decks in Programming
See All in Programming
The Past, Present, and Future of Enterprise Java
ivargrimstad
0
550
AIによる開発の民主化を支える コンテキスト管理のこれまでとこれから
mulyu
3
250
それ、本当に安全? ファイルアップロードで見落としがちなセキュリティリスクと対策
penpeen
7
3.9k
CSC307 Lecture 07
javiergs
PRO
0
550
HTTPプロトコル正しく理解していますか? 〜かわいい猫と共に学ぼう。ฅ^•ω•^ฅ ニャ〜
hekuchan
2
680
登壇資料を作る時に意識していること #登壇資料_findy
konifar
4
1.1k
Vibe Coding - AI 驅動的軟體開發
mickyp100
0
170
【卒業研究】会話ログ分析によるユーザーごとの関心に応じた話題提案手法
momok47
0
200
Implementation Patterns
denyspoltorak
0
280
なるべく楽してバックエンドに型をつけたい!(楽とは言ってない)
hibiki_cube
0
140
AIと一緒にレガシーに向き合ってみた
nyafunta9858
0
230
Spinner 軸ズレ現象を調べたらレンダリング深淵に飲まれた #レバテックMeetup
bengo4com
1
230
Featured
See All Featured
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
240
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
34
2.6k
Ethics towards AI in product and experience design
skipperchong
2
190
Design in an AI World
tapps
0
140
Why Our Code Smells
bkeepers
PRO
340
58k
Introduction to Domain-Driven Design and Collaborative software design
baasie
1
580
Evolving SEO for Evolving Search Engines
ryanjones
0
120
Paper Plane
katiecoart
PRO
0
46k
The World Runs on Bad Software
bkeepers
PRO
72
12k
Six Lessons from altMBA
skipperchong
29
4.1k
Darren the Foodie - Storyboard
khoart
PRO
2
2.4k
Rails Girls Zürich Keynote
gr2m
96
14k
Transcript
Securing Login With Facebook API for Mobile Application
kiennt.com Kien Nguyen Lead Backend Engineer github.com/kiennt
Why I choose this topic
I hacked
Facebook Login Flow
Facebook Login Flow
Use client to get facebook data graph.facebook.com/me fb access token
1
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2 facebook_id 3 your server
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2 facebook_id 3 your server your database get or insert base on facebook_id 4
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2 facebook_id 3 your server your database site access token 5 5 get or insert base on facebook_id 4
fake facebook_id 3 your server your database site access token
5 5 get or insert base on facebook_id 4 attacker Attacker only need to know facebook_id
Never trust data from client!
Use server to get facebook data your server fb access
token 1
Use server to get facebook data your server fb access
token 1 get user data 2
Use server to get facebook data your server fb access
token 1 graph.facebook.com/me get user data 2 user facebook_id 3
Use server to get facebook data your server fb access
token 1 graph.facebook.com/me your database get user data 2 user facebook_id 3 get or insert 4
Use server to get facebook data your server fb access
token 1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4
Attacker use fake access token your server fake access token
1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4 attacker
Attacker use fake access token your server fake access token
1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4 attacker other fb application a valid facebook token
Always validate client data
How to fix? your server fb access token 1 graph.facebook.com/me
your database site access token 5 6 get user data 3 user facebook_id 4 get or insert 5 graph.facebook.com validate fb access token 2
How to fix? https://developers.facebook.com/docs/facebook-login/access-tokens/debugging-and-error-handling GET /debug_token?input_token={input-token}&access_token={access-token}
Conclusion Do not use client to get facebook user data
Use /debug_token to check access token is from your application
Remember Do not use client to get facebook user data
Use /debug_token to check access token is from your application TRUST CIRCLE IS HIRING
None
kiennt
ivargrimstad
mulyu
penpeen
javiergs
hekuchan
konifar
mickyp100
momok47
denyspoltorak
hibiki_cube
nyafunta9858
bengo4com
skipperchong
jcasabona
tapps
bkeepers
baasie
ryanjones
katiecoart
khoart
gr2m
