Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Facebook Login Security
Search
Kien Nguyen
November 01, 2017
Programming
0
48
Facebook Login Security
Kien Nguyen
November 01, 2017
Tweet
Share
More Decks by Kien Nguyen
See All by Kien Nguyen
Introduction
kiennt
0
45
Introduction to Django v2
kiennt
0
98
Clean code
kiennt
8
400
Introduction to Django
kiennt
0
97
Unix_Process.pdf
kiennt
2
8k
Happiness
kiennt
1
400
RTMP and RTMPE protocols
kiennt
2
590
Other Decks in Programming
See All in Programming
Laravel や Symfony で手っ取り早く OpenAPI のドキュメントを作成する
azuki
1
110
From Subtype Polymorphism To Typeclass-based Ad hoc Polymorphism - An Example
philipschwarz
PRO
0
200
役立つログに取り組もう
irof
28
9.5k
Generative AI Use Cases JP (略称:GenU)奮闘記
hideg
1
280
エンジニアとして関わる要件と仕様(公開用)
murabayashi
0
230
.NET のための通信フレームワーク MagicOnion 入門 / Introduction to MagicOnion
mayuki
1
1.1k
Macとオーディオ再生 2024/11/02
yusukeito
0
360
Jakarta Concurrencyによる並行処理プログラミングの始め方 (JJUG CCC 2024 Fall)
tnagao7
1
280
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
10
1.2k
EventSourcingの理想と現実
wenas
6
2.3k
Quine, Polyglot, 良いコード
qnighy
4
640
2024/11/8 関西Kaggler会 2024 #3 / Kaggle Kernel で Gemma 2 × vLLM を動かす。
kohecchi
5
890
Featured
See All Featured
The Cult of Friendly URLs
andyhume
78
6k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
506
140k
A Philosophy of Restraint
colly
203
16k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Optimizing for Happiness
mojombo
376
70k
A Modern Web Designer's Workflow
chriscoyier
693
190k
Docker and Python
trallard
40
3.1k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k
What’s in a name? Adding method to the madness
productmarketing
PRO
22
3.1k
Reflections from 52 weeks, 52 projects
jeffersonlam
346
20k
Building Flexible Design Systems
yeseniaperezcruz
327
38k
StorybookのUI Testing Handbookを読んだ
zakiyama
27
5.2k
Transcript
Securing Login With Facebook API for Mobile Application
kiennt.com Kien Nguyen Lead Backend Engineer github.com/kiennt
Why I choose this topic
I hacked
Facebook Login Flow
Facebook Login Flow
Use client to get facebook data graph.facebook.com/me fb access token
1
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2 facebook_id 3 your server
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2 facebook_id 3 your server your database get or insert base on facebook_id 4
Use client to get facebook data graph.facebook.com/me fb access token
1 user ’s facebook id 2 facebook_id 3 your server your database site access token 5 5 get or insert base on facebook_id 4
fake facebook_id 3 your server your database site access token
5 5 get or insert base on facebook_id 4 attacker Attacker only need to know facebook_id
Never trust data from client!
Use server to get facebook data your server fb access
token 1
Use server to get facebook data your server fb access
token 1 get user data 2
Use server to get facebook data your server fb access
token 1 graph.facebook.com/me get user data 2 user facebook_id 3
Use server to get facebook data your server fb access
token 1 graph.facebook.com/me your database get user data 2 user facebook_id 3 get or insert 4
Use server to get facebook data your server fb access
token 1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4
Attacker use fake access token your server fake access token
1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4 attacker
Attacker use fake access token your server fake access token
1 graph.facebook.com/me your database site access token 5 5 get user data 2 user facebook_id 3 get or insert 4 attacker other fb application a valid facebook token
Always validate client data
How to fix? your server fb access token 1 graph.facebook.com/me
your database site access token 5 6 get user data 3 user facebook_id 4 get or insert 5 graph.facebook.com validate fb access token 2
How to fix? https://developers.facebook.com/docs/facebook-login/access-tokens/debugging-and-error-handling GET /debug_token?input_token={input-token}&access_token={access-token}
Conclusion Do not use client to get facebook user data
Use /debug_token to check access token is from your application
Remember Do not use client to get facebook user data
Use /debug_token to check access token is from your application TRUST CIRCLE IS HIRING
None
kiennt
azuki
philipschwarz
irof
hideg
murabayashi
mayuki
yusukeito
tnagao7
twada
wenas
qnighy
kohecchi
andyhume
chriscoyier
colly
rocio
mojombo
trallard
philhawksworth
productmarketing
jeffersonlam
yeseniaperezcruz
zakiyama
