Feeds

back to article New Facebook developer regs not rogue-proof

Facebook app developers will need to verify their account with the social network before they are allowed to create applications under a new scheme, but experts are nonplussed by the proposals. The scheme relies on authentication via either confirming ownership of a particular mobile phone number or submitting credit card …

COMMENTS

This topic is closed for new posts.
FAIL

Very easy to verify

They can hack a users account and probably get hold of their credit card details anyway.

How easy is it to order a free sim and get a verifictaion code as well?

Fail me thinks!

0
0
h 6
Thumb Up

Let me fix that

Verify this, bitch.

0
0
Anonymous Coward

horse, bolted

"We're taking this step to preserve the integrity of Facebook"

I'm taking the proactive step of buying my dad condoms so that I won't be born.

1
0
OC
Thumb Down

upload code?!

But you don't upload code, thats the whole point of using an API.

If they really do wish to be secure they should look into the same procedures Apple kinda use.........simply test the apps. A monitoring system could constantly check an app to make sure it hasn't changed, if it has then it needs to be authorised again.

A lot of work............but what the hell it's not my job! :)

0
1
Big Brother

Haha

The next sharing setting (devs only for now):

Do you want to share your CC details with: Everyone (default) / Friends Only / Noone

0
0

Is the Code Served from Facebook?

I remember taking a quick look at Facebook development a bit of time back, and I believe the code of a Facebook App is not hosted on Facebook. A Facebook application uses what they call a canvas which is an iframe pointed at an external server URL (application callback URL) around which they place the standard face book bits (including adverts).

This means that Facebook avoids a lot of the bandwidth issues but also means that as far as I know they cannot preview the code (or the request responses) in any way. They could review the application by navigating to it, but as it could modify the response dependant upon client IP, Facebook User, etc. this might be of limited use. Particularly as the dodgy bit could be turned on later.

0
0

RE: Is the Code Served from Facebook?

Yeah, on the Koobface article it said facebook automatically check links posted but they were just redirecting requests from within facebooks IP space to a benign page.

Maybe they could have setup some honeypot profiles to test the apps on then monitor what happens?

0
0
Bronze badge

partly right...

There is the iframe option or the 'fbml' option.

In the second case, the facebook server calls your URL, retrieves the webpage, sanatises it, and serves the result to the user.

A thought on their process (ignoring the fact a throwaway mobile is cheap for serious fraudsters)

1) create app through legitimate account.

2) assign 'app privilege' to dodgy account.

3) remove app privilege from real account.

I wonder if they keep a 'paper trail' to avoid this situation?

0
0
FAIL

He's Joking right?

Mr Ferguson, the security expert has obviously never looked at anything Facebook put out .They don't have time to look at their OWN code never mind anyone else's.

Also as someone has pointed out FB apps aren't on their servers. My app (which is a very modest 3600 lines of PHP) is currently sitting on about 700 servers. So Facebook could, I suppose vet my original app each time I change it (which has been about 20 times in the past week due to their crazy implementation timescale for Oauth2) and say its not rogue but there is nothing to stop any of the people using my app from changing something in it and basically making their copy "rogue"

Yes there is a problem with rogue apps but Mr F's suggestion is totally impractical and maybe he should do some more research into how things work before giving us his "advice" next time.

1
0
Anonymous Coward

Real Facebook account?

They're joking right? I have a real me for my friends, and at least one sock puppet for gaming. Not all that hard to gin up a Facebook account. The "difficult" part is ginning up a Hotmail account to register as a REAL Facebook account.

0
0
This topic is closed for new posts.