Facebook Will Mandate OAuth 2.0 and HTTPS This Fall, After Security Leak Found in Old Code
Symantec on Tuesday published a corporate blog post describing how 100,000 Facebook apps built with iFrames exposed user data. This was because an older Facebook API was designed so apps included user access tokens in the referrer URL given to advertisers and analytics platforms, Symantec said.
Facebook referenced Symantec’s assistance Tuesday in a blog post announcing it would require all developers to use a more secure combination of HTTPS and OAuth 2.0 (which allows users to connect various Web apps to each other without resupplying their passwords) by October 1 of this year.
Following hacking attempts attributed to Tunisian government censors a few months ago, Facebook had started giving users the option to route its site through more secure HTTPS servers. But many third-party app developers have yet to revise their Facebook apps to support HTTPS, too.
Facebook downplayed the significance of Symantec’s discovery, issuing various comments saying it has found no evidence that the loophole enabled users’ private information to be shared with unauthorized third parties.
“Over the past few weeks, we determined that OAuth is now a mature standard with broad participation across the industry,” said the Facebook developer blog post, authored by Facebook’s Naitik Shah.
Please see the disclosure about Facebook in my ethics statement.