{"id":860,"date":"2009-02-10T17:27:30","date_gmt":"2009-02-11T01:27:30","guid":{"rendered":"http:\/\/cubist.cs.washington.edu\/Security\/?p=860"},"modified":"2009-02-10T17:27:30","modified_gmt":"2009-02-11T01:27:30","slug":"facebook-opens-status-api","status":"publish","type":"post","link":"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/10\/facebook-opens-status-api\/","title":{"rendered":"Facebook Opens Status API"},"content":{"rendered":"<p><!--[if gte mso 9]&gt;  Normal 0     false false false  EN-US ZH-TW X-NONE              MicrosoftInternetExplorer4              &lt;![endif]--><!--[if gte mso 9]&gt;                                                                                                                                            &lt;![endif]--><!--  \/* Font Definitions *\/  @font-face \t{font-family:Wingdings; \tpanose-1:5 0 0 0 0 0 0 0 0 0; \tmso-font-charset:2; \tmso-generic-font-family:auto; \tmso-font-pitch:variable; \tmso-font-signature:0 268435456 0 0 -2147483648 0;} @font-face \t{font-family:\"Cambria Math\"; \tpanose-1:2 4 5 3 5 4 6 3 2 4; \tmso-font-charset:0; \tmso-generic-font-family:roman; \tmso-font-pitch:variable; \tmso-font-signature:-1610611985 1107304683 0 0 159 0;} @font-face \t{font-family:Calibri; \tpanose-1:2 15 5 2 2 2 4 3 2 4; \tmso-font-charset:0; \tmso-generic-font-family:swiss; \tmso-font-pitch:variable; \tmso-font-signature:-1610611985 1073750139 0 0 159 0;}  \/* Style Definitions *\/  p.MsoNormal, li.MsoNormal, div.MsoNormal \t{mso-style-unhide:no; \tmso-style-qformat:yes; \tmso-style-parent:\"\"; \tmargin-top:0cm; \tmargin-right:0cm; \tmargin-bottom:10.0pt; \tmargin-left:0cm; \tline-height:115%; \tmso-pagination:widow-orphan; \tfont-size:11.0pt; \tfont-family:\"Calibri\",\"sans-serif\"; \tmso-fareast-font-family:Calibri; \tmso-bidi-font-family:\"Times New Roman\"; \tmso-fareast-language:EN-US;} a:link, span.MsoHyperlink \t{mso-style-priority:99; \tcolor:blue; \ttext-decoration:underline; \ttext-underline:single;} a:visited, span.MsoHyperlinkFollowed \t{mso-style-noshow:yes; \tmso-style-priority:99; \tcolor:purple; \tmso-themecolor:followedhyperlink; \ttext-decoration:underline; \ttext-underline:single;} p.MsoListParagraph, li.MsoListParagraph, div.MsoListParagraph \t{mso-style-priority:34; \tmso-style-unhide:no; \tmso-style-qformat:yes; \tmargin-top:0cm; \tmargin-right:0cm; \tmargin-bottom:10.0pt; \tmargin-left:36.0pt; \tmso-add-space:auto; \tline-height:115%; \tmso-pagination:widow-orphan; \tfont-size:11.0pt; \tfont-family:\"Calibri\",\"sans-serif\"; \tmso-fareast-font-family:Calibri; \tmso-bidi-font-family:\"Times New Roman\"; \tmso-fareast-language:EN-US;} p.MsoListParagraphCxSpFirst, li.MsoListParagraphCxSpFirst, div.MsoListParagraphCxSpFirst \t{mso-style-priority:34; \tmso-style-unhide:no; \tmso-style-qformat:yes; \tmso-style-type:export-only; \tmargin-top:0cm; \tmargin-right:0cm; \tmargin-bottom:0cm; \tmargin-left:36.0pt; \tmargin-bottom:.0001pt; \tmso-add-space:auto; \tline-height:115%; \tmso-pagination:widow-orphan; \tfont-size:11.0pt; \tfont-family:\"Calibri\",\"sans-serif\"; \tmso-fareast-font-family:Calibri; \tmso-bidi-font-family:\"Times New Roman\"; \tmso-fareast-language:EN-US;} p.MsoListParagraphCxSpMiddle, li.MsoListParagraphCxSpMiddle, div.MsoListParagraphCxSpMiddle \t{mso-style-priority:34; \tmso-style-unhide:no; \tmso-style-qformat:yes; \tmso-style-type:export-only; \tmargin-top:0cm; \tmargin-right:0cm; \tmargin-bottom:0cm; \tmargin-left:36.0pt; \tmargin-bottom:.0001pt; \tmso-add-space:auto; \tline-height:115%; \tmso-pagination:widow-orphan; \tfont-size:11.0pt; \tfont-family:\"Calibri\",\"sans-serif\"; \tmso-fareast-font-family:Calibri; \tmso-bidi-font-family:\"Times New Roman\"; \tmso-fareast-language:EN-US;} p.MsoListParagraphCxSpLast, li.MsoListParagraphCxSpLast, div.MsoListParagraphCxSpLast \t{mso-style-priority:34; \tmso-style-unhide:no; \tmso-style-qformat:yes; \tmso-style-type:export-only; \tmargin-top:0cm; \tmargin-right:0cm; \tmargin-bottom:10.0pt; \tmargin-left:36.0pt; \tmso-add-space:auto; \tline-height:115%; \tmso-pagination:widow-orphan; \tfont-size:11.0pt; \tfont-family:\"Calibri\",\"sans-serif\"; \tmso-fareast-font-family:Calibri; \tmso-bidi-font-family:\"Times New Roman\"; \tmso-fareast-language:EN-US;} .MsoChpDefault \t{mso-style-type:export-only; \tmso-default-props:yes; \tfont-size:10.0pt; \tmso-ansi-font-size:10.0pt; \tmso-bidi-font-size:10.0pt; \tmso-ascii-font-family:Calibri; \tmso-fareast-font-family:Calibri; \tmso-hansi-font-family:Calibri;} @page Section1 \t{size:612.0pt 792.0pt; \tmargin:72.0pt 72.0pt 72.0pt 72.0pt; \tmso-header-margin:36.0pt; \tmso-footer-margin:36.0pt; \tmso-paper-source:0;} div.Section1 \t{page:Section1;}  \/* List Definitions *\/  @list l0 \t{mso-list-id:1258901768; \tmso-list-type:hybrid; \tmso-list-template-ids:1242990162 1355311712 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;} @list l0:level1 \t{mso-level-start-at:0; \tmso-level-number-format:bullet; \tmso-level-text:\uf0b7; \tmso-level-tab-stop:none; \tmso-level-number-position:left; \ttext-indent:-18.0pt; \tfont-family:Symbol; \tmso-fareast-font-family:Calibri; \tmso-bidi-font-family:\"Times New Roman\";} @list l1 \t{mso-list-id:1662731820; \tmso-list-type:hybrid; \tmso-list-template-ids:-1544796452 425486532 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;} @list l1:level1 \t{mso-level-start-at:0; \tmso-level-number-format:bullet; \tmso-level-text:\uf0b7; \tmso-level-tab-stop:none; \tmso-level-number-position:left; \ttext-indent:-18.0pt; \tfont-family:Symbol; \tmso-fareast-font-family:Calibri; \tmso-bidi-font-family:\"Times New Roman\";} @list l2 \t{mso-list-id:2065711634; \tmso-list-type:hybrid; \tmso-list-template-ids:1018753328 -925091724 67698691 67698693 67698689 67698691 67698693 67698689 67698691 67698693;} @list l2:level1 \t{mso-level-start-at:0; \tmso-level-number-format:bullet; \tmso-level-text:\uf0b7; \tmso-level-tab-stop:none; \tmso-level-number-position:left; \ttext-indent:-18.0pt; \tfont-family:Symbol; \tmso-fareast-font-family:Calibri; \tmso-bidi-font-family:\"Times New Roman\";} ol \t{margin-bottom:0cm;} ul \t{margin-bottom:0cm;} --><!--[if gte mso 10]&gt; &lt;!   \/* Style Definitions *\/  table.MsoNormalTable \t{mso-style-name:\"Table Normal\"; \tmso-tstyle-rowband-size:0; \tmso-tstyle-colband-size:0; \tmso-style-noshow:yes; \tmso-style-priority:99; \tmso-style-qformat:yes; \tmso-style-parent:\"\"; \tmso-padding-alt:0cm 5.4pt 0cm 5.4pt; \tmso-para-margin:0cm; \tmso-para-margin-bottom:.0001pt; \tmso-pagination:widow-orphan; \tfont-size:10.0pt; \tfont-family:\"Calibri\",\"sans-serif\";} --> <!--[endif]--><span> <\/span>\u201cFacebook is slowly tearing down the wall around its silo and is starting to expose more of its data to the outside\u201d (From <a href=\"http:\/\/www.nytimes.com\/external\/readwriteweb\/2009\/02\/06\/06readwriteweb-facebook_opens_up_lets_develop.html\">Facebook Opens Up: Lets Developers Access Status Updates, Notes, Links, and Videos<\/a>). Now Facebook allows the third-party developers to have access to users\u2019 private data, such as status updates and notes. This is intended to make both developers more flexible in making and using applications. Moreover, Facebook wants to make more and more people use Facebook by join the OpenID foundation. However, weaknesses and potential security problems are found by doing this update for Facebook\u2019s API.<\/p>\n<p class=\"MsoNormal\">\n<p class=\"MsoNormal\">Assets and security goals<\/p>\n<ul style=\"margin-top: 0cm;\" type=\"disc\">\n<li class=\"MsoNormal\">Since the Facebook joined      the OpenID foundation, people who posses OpenID (one account, one      password, multiple sites login) account will also have Facebook      account.<span> <\/span>Thus, more and more people      will join Facebook and use Facebook for networking.<\/li>\n<li class=\"MsoNormal\">The developers\u2019      application should be verified before release it to public and allow      people to use it. Moreover, there should be stricter terms and conditions      on registration for developer, such as phone number validation or email      validation, so that they will not misuse users\u2019 private information (pictures,      videos\u2026etc)<\/li>\n<\/ul>\n<p class=\"MsoNormal\"><!--more--><\/p>\n<p class=\"MsoNormal\">Potential adversaries and threats<\/p>\n<ul style=\"margin-top: 0cm;\" type=\"disc\">\n<li class=\"MsoNormal\">By allowing the      third-party developers to post links, it means that the chance of getting      exploit URLs is higher. Since most developers have knowledge in writing codes,      they can simply trick the user by asking them to download a program for      the application which actually is an exploit.<\/li>\n<li class=\"MsoNormal\">By Facebook joining the      OpenID foundation, users who use OpenID for maintaining different sites\u2019      account will have the same password and account name.<\/li>\n<\/ul>\n<p class=\"MsoNormal\">\n<p class=\"MsoNormal\">Potential weaknesses<\/p>\n<ul style=\"margin-top: 0cm;\" type=\"disc\">\n<li class=\"MsoNormal\">It is easier for developer      to write application to access any status, links and notes from the active      user or their friends. <span> <\/span>However,      this brings up the privacy issue where the user is not aware that the new      application shares their private data (videos, pictures, notes) to all      their friends instead of some close friends.<\/li>\n<li class=\"MsoNormal\">The malicious people can      first randomly add friend. Next, he\/she can post bad video. If there is a      real application that make them post videos to other users\u2019 page because      the malicious person is in other people\u2019s active friend list. On the other      hand, the malicious developer can just upload bad video to users\u2019 accounts      if the users accidently run the application.<\/li>\n<\/ul>\n<p>Potential defenses<\/p>\n<ul>\n<li><span style=\"font-family: Symbol;\"><span><\/span><\/span>For preventing developers from posting exploit URLs, each and every application\u2019s code has to be filtered. The filter program will have to be able to filter all possible keywords for making exploit URLs (i.e. filter the word script).<span style=\"font-family: Symbol;\"><span><\/span><\/span><\/li>\n<li><span style=\"font-family: Symbol;\"><span><\/span><\/span><!--[endif]-->All programs are not perfect; even they can still miss something when using the filter. Thus, it is better to have trustful third-party to verify the developer\u2019s applications or the developers need to get certificate from that third-party.<\/li>\n<li>Even though OpenID makes it easier for users to make account on several sites, it will be more secure if they provide two-way system defense such security questions for each account.<\/li>\n<\/ul>\n<p>Risks<\/p>\n<ul>\n<li><span style=\"font-family: Symbol;\"><span><span style=\"font-family: &quot;Times New Roman&quot;; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal; -x-system-font: none;\"> <\/span><\/span><\/span><!--[endif]-->For OpenID account, if an attacker got one password for an account, he will have access to the victim\u2019s other websites that joined the OpenID foundations. Then, the attacker can then change the user\u2019s password so that the user will not have access to his Facebook, VeriSign or Yahoo\u2026.etc.<span> <\/span>There are a lot of different things that the attacker can do if they own the password.<\/li>\n<li><!--[if !supportLists]--><span style=\"font-family: Symbol;\"><span><span style=\"font-family: &quot;Times New Roman&quot;; font-style: normal; font-variant: normal; font-weight: normal; font-size: 7pt; line-height: normal; font-size-adjust: none; font-stretch: normal; -x-system-font: none;\"> <\/span><\/span><\/span><!--[endif]-->According to the <a href=\"http:\/\/www.allfacebook.com\/2009\/02\/facebook-opens-status-api-say-goodbye-to-twitter\/\">AllFacebook<\/a>, there is upload limits for videos. But the users can remove this limit by verifying their phone number (since the article does not specify about phone number verification, we assume that users will have to type in their phone numbers and get the verification code).<span> <\/span>If the malicious people steal users\u2019 phone, they can use it to remove their limit. Then the user will not be able to take out the limit. Moreover, this will make people try to steal other people\u2019s phones.<\/li>\n<\/ul>\n<p class=\"MsoNormal\">Conclusions<\/p>\n<p class=\"MsoNormal\">By allowing developers to have access to some of users\u2019 private data and uploading videos, more interesting applications for Facebook for sure will be found. However, not many people aware of the risks. Their private data could possibly be in danger. Thus, by giving more access for developers, Facebook also have to make the rules and regulations for third-party developers to be stricter in order to prevent bad things to happen.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>\u201cFacebook is slowly tearing down the wall around its silo and is starting to expose more of its data to the outside\u201d (From Facebook Opens Up: Lets Developers Access Status Updates, Notes, Links, and Videos). Now Facebook allows the third-party &hellip; <a href=\"https:\/\/secblog.cs.washington.edu\/Security\/2009\/02\/10\/facebook-opens-status-api\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":110,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-860","post","type-post","status-publish","format-standard","hentry","category-security-reviews"],"_links":{"self":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/860","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/users\/110"}],"replies":[{"embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/comments?post=860"}],"version-history":[{"count":6,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/860\/revisions"}],"predecessor-version":[{"id":866,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/posts\/860\/revisions\/866"}],"wp:attachment":[{"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/media?parent=860"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/categories?post=860"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/secblog.cs.washington.edu\/Security\/wp-json\/wp\/v2\/tags?post=860"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}