Liz Gannes

Recent Posts by Liz Gannes

Facebook Will Mandate OAuth 2.0 and HTTPS This Fall, After Security Leak Found in Old Code

Symantec on Tuesday published a corporate blog post describing how 100,000 Facebook apps built with iFrames exposed user data. This was because an older Facebook API was designed so apps included user access tokens in the referrer URL given to advertisers and analytics platforms, Symantec said.

Facebook referenced Symantec’s assistance Tuesday in a blog post announcing it would require all developers to use a more secure combination of HTTPS and OAuth 2.0 (which allows users to connect various Web apps to each other without resupplying their passwords) by October 1 of this year.

Following hacking attempts attributed to Tunisian government censors a few months ago, Facebook had started giving users the option to route its site through more secure HTTPS servers. But many third-party app developers have yet to revise their Facebook apps to support HTTPS, too.

Facebook downplayed the significance of Symantec’s discovery, issuing various comments saying it has found no evidence that the loophole enabled users’ private information to be shared with unauthorized third parties.

“Over the past few weeks, we determined that OAuth is now a mature standard with broad participation across the industry,” said the Facebook developer blog post, authored by Facebook’s Naitik Shah.

Please see the disclosure about Facebook in my ethics statement.


Latest Video

View all videos »

Search »

I think the NSA has a job to do and we need the NSA. But as (physicist) Robert Oppenheimer said, “When you see something that is technically sweet, you go ahead and do it and argue about what to do about it only after you’ve had your technical success. That is the way it was with the atomic bomb.”

— Phil Zimmerman, PGP inventor and Silent Circle co-founder, in an interview with Om Malik