WordPress.org

Ready to get started?Download WordPress

Forums

Simple Facebook Connect
Migrate to OAuth 2.0 (17 posts)

  1. serpico
    Member
    Posted 3 years ago #

    I received the following email from Facebook today. I am using Simple Facebook Connect with my WP 3.2 website. Are there any plans for a migration over to FB OAuth 2.0? Should I be concerned by these vulnerabilities?

    Our automated systems have detected that you may be inadvertently allowing authentication data to be passed to 3rd parties. Allowing user ids and access tokens to be passed to 3rd parties, even inadvertently, could allow these 3rd parties to access the data the user made available to your site. This violates our policies and undermines user trust in your site and Facebook Platform.

    In every case that we have examined, this information is passed via the HTTP Referer Header by the user's browser. This can happen when using our legacy authentication system and including <iframe>, <img> or <script> content from 3rd parties in the page that receives authentication data from Facebook. Our legacy mechanism passes authentication information in the URL query string which, if handled incorrectly, can be passed to 3rd parties by the browser. Our current OAuth 2.0 authentication system, released over a year ago, passes this information in the URL fragment, which is not passed to 3rd parties by the browser.

    Please ensure that you are not allowing this data to be passed immediately. Accessing your site as a test user while running a HTTP proxy/monitor like Charles or Fiddler is the best way to determine if you are allowing this information to be passed. If you discover the issue, you can do one of two things:

    1. Migrate your site to use our OAuth 2.0 authentication system. We are requiring all apps and sites to update to this mechanism by Sept. 1, 2011. Migrating now will address this issue and ensure that you are one of the first to meet the deadline. For more details, please see our Authentication Guide.

    2. Create and use an interstitial page to remove the authentication data before redirecting to your page with 3rd party content. This approach is used by many of our largest developers today (although they are all migrating to OAuth 2.0 shortly). This is a simple and straightforwardchange that should have minimal impact on your site. For more details on this approach, see our Legacy Connect Auth doc.

    Because of the importance of ensuring user trust and privacy, we are asking you to complete one of the above steps in the next 48 hours. If you fail to do so, your site may be subject to one of the enforcement actions outlined in our policies.

    If you have any questions or believe you have received this message in error, please contact us.

  2. metalmaxx
    Member
    Posted 3 years ago #

    Hi serpico,
    same here!

    I use the Plugin WP-FB AutoConnect!
    Should i switch to another Facebook Connect plugin?
    Any suggestions?

  3. serpico
    Member
    Posted 3 years ago #

    I've not found any other plugins which use OAuth. Sounds like Facebook is a little bit ahead of the WP plugin developers on this one.

    I'm currently reading up on the interstitial pages option, but hopefully someone else will be able to point us in the right direction.

  4. Jen Montes
    Member
    Posted 3 years ago #

    I got this email as well. Since I doubt that anyone will come up with a solution in the next 48 hours, I've just turned off my Facebook features until further notice!

    The sad part is that I had considered making my own plugin using OAuth a few months ago because I didn't like how all the IFrames that the Facebook buttons generated were slowing down my page load times. But as usual, I kept putting it off and now the sh*t has hit the fan.

  5. verdick
    Member
    Posted 3 years ago #

    Also received the same email; I am using the Facebook Connect plugin though (not Simple Facebook Connect). Worst part is that I just activated the plugin and integrated into my website this Saturday, and now I am already having to disable it?!? Not fair IMHO that we are getting dinged for use of third-party plugins that have been proven for quite some time now.

    Unfortunately, we can't count on the plugin developers to fix this in 48 hours as was already stated, so we're up a creek without a paddle for now...hopefully someone will figure something out sooner than later.

  6. BrendCh06
    Member
    Posted 3 years ago #

    Having the same thing here... any fix??

  7. Rev. Voodoo
    Volunteer Moderator
    Posted 3 years ago #

    Ah, I see others are having this issue too. I'm glad it's not just me. I will probably deactivate the plugin as well.... while I investigate any options. Hopefully we can figure something out.

  8. matiasc
    Member
    Posted 3 years ago #

    Also received it... I'm using the Simple Facebook Connect plugin.

  9. Rev. Voodoo
    Volunteer Moderator
    Posted 3 years ago #

    They’ve been sending this to all FB application developers who use the Facebook Connect methods. It is not specific to you or to your site. There’s nothing you need to do about it, really. SFC itself is not affected.

    A newer version of SFC will be made available before their September 1st date.

    You can follow the conversation here, looks like everybody is getting that warning.

  10. Jackson
    Member
    Posted 3 years ago #

    Me too. Although I've only received the message for 1 out of about 6 that are using SFC. Worst case scenario, it's easy to disable temporarily.

    Thankfully Otto is prone to thoughtful and thorough replies, so I imagine there will be some good information on this topic soon.

    I'm thinking that these recent emails from Facebook Developer Relations are directly related to this:

    http://www.symantec.com/connect/blogs/facebook-applications-accidentally-leaking-access-third-parties?API1=100&API2=4165004

  11. matiasc
    Member
    Posted 3 years ago #

    Totally madjax, I believe that it has to do with that.
    What are you going to do? Are you disabling SFC in the site where you received the email?

  12. metalmaxx
    Member
    Posted 3 years ago #

    Thanx for the Information madjax!

    The official information from the developers blog you can find here:
    https://developers.facebook.com/blog/post/497

    I use WP-FB-AutoConnect and i got the same problem. Otto from SFC replied on his plugin-page. He announced an update until 1st september. Its cool, but will Facebook ban my application then? Have i lost then all users who connected with my application? I don´t want to deactivate it now for months.. :(

  13. matiasc
    Member
    Posted 3 years ago #

    But he said that SFC isn't the problem... So... I think I'm not deactivating and I'll see what happens.

  14. metalmaxx
    Member
    Posted 3 years ago #

    To all WP-FB Autoconnect Users!
    Update:
    On May 15, 2011, Facebook started sending out security warnings for applications that still use the old REST API. Premium users should select the option to "Use the new Graph API" immediately; I will be working to make this a free feature in the near future, hopefully within the next few days. If you have any issues with the new API, please see FAQ33.
    If want to be absolutely certain to get it resolved within 48 hours you can of course purchase the add-on now (as Facebook allowed virtually no time to comply)...but again, I do hope to get it resolved in time, if I can.
    Please do not report this problem to me as I'm aware of it and working to get it fixed.

  15. Samuel Wood (Otto)
    Tech Ninja
    Plugin Author

    Posted 3 years ago #

    I'm working on finishing up the remaining pieces of SFC version 1.0, which uses their newer Javascript SDK (which automatically uses OAuth 2.0) and their Graph API.

    The "48 hour" thing is more of a problem with their email... SFC is not leaking any information to third parties, and this is not a real concern. I'm leaving it running, and I got that same email more than 48 hours ago. Don't worry about it.

  16. Samuel Wood (Otto)
    Tech Ninja
    Plugin Author

    Posted 3 years ago #

    BTW, because SFC uses the old Connect libraries at the moment, it is already essentially implementing the second suggestion they make (about using the interstitial page). This method is called "xd_receiver" in some places. This gets the cookie set for the website, and it is what is used for the authentication token.

    What they're actually referring to here is a specific problem for their REST API, which SFC does use in some places, but only from the server, not from the browser. This particular problem does not impact SFC or SFC users.

    Despite the way the email reads, it is a *mass* emailing to any and all applications that have ever used the older APIs. Their "automated systems" didn't actually "detect" anything.

  17. Rev. Voodoo
    Volunteer Moderator
    Posted 3 years ago #

    That's for the specific and informative reply Otto! It definitely helped me understand a little.

Topic Closed

This topic has been closed to new replies.

About this Plugin

About this Topic