Liz Gannes

Recent Posts by Liz Gannes

Facebook Will Mandate OAuth 2.0 and HTTPS This Fall, After Security Leak Found in Old Code

Symantec on Tuesday published a corporate blog post describing how 100,000 Facebook apps built with iFrames exposed user data. This was because an older Facebook API was designed so apps included user access tokens in the referrer URL given to advertisers and analytics platforms, Symantec said.

Facebook referenced Symantec’s assistance Tuesday in a blog post announcing it would require all developers to use a more secure combination of HTTPS and OAuth 2.0 (which allows users to connect various Web apps to each other without resupplying their passwords) by October 1 of this year.

Following hacking attempts attributed to Tunisian government censors a few months ago, Facebook had started giving users the option to route its site through more secure HTTPS servers. But many third-party app developers have yet to revise their Facebook apps to support HTTPS, too.

Facebook downplayed the significance of Symantec’s discovery, issuing various comments saying it has found no evidence that the loophole enabled users’ private information to be shared with unauthorized third parties.

“Over the past few weeks, we determined that OAuth is now a mature standard with broad participation across the industry,” said the Facebook developer blog post, authored by Facebook’s Naitik Shah.

Please see the disclosure about Facebook in my ethics statement.


Latest Video

View all videos »

Search »

When AllThingsD began, we told readers we were aiming to present a fusion of new-media timeliness and energy with old-media standards for quality and ethics. And we hope you agree that we’ve done that.

— Kara Swisher and Walt Mossberg, in their farewell D post