security

Sign in with facebook (OAuth): how to and threats

Many websites provide possibility to authorize with OAuth protocol (e.g. using facebook account).

How to

In ASP.NET application it is very easy to implement. Check this 3 minutes long screencast by Scott Hanselman.

In Rails it is a little bit more complex, but also not big deal. There is nice Rails cast #360 about it (12 minutes).

Threats

However it is good to know what data we are providing when we click ‘Login with facebook’. I implemented facebook auth with omniauth-facebook library (according to above rails cast). I was surprised when I look at the source code.

This is auth data available for developer, when we sign in with facebook:

{
  :provider => 'facebook',
  :uid => '1234567',
  :info => {
    :nickname => 'jbloggs',
    :email => '[email protected]',
    :name => 'Joe Bloggs',
    :first_name => 'Joe',
    :last_name => 'Bloggs',
    :image => 'http://graph.facebook.com/1234567/picture?type=square',
    :urls => { :Facebook => 'http://www.facebook.com/jbloggs' },
    :location => 'Palo Alto, California',
    :verified => true
  },
  :credentials => {
    :token => 'ABCDEF...', # OAuth 2.0 access_token, which you may wish to store
    :expires_at => 1321747205, # when the access token expires (it always will)
    :expires => true # this will always be true
  },
  :extra => {
    :raw_info => {
      :id => '1234567',
      :name => 'Joe Bloggs',
      :first_name => 'Joe',
      :last_name => 'Bloggs',
      :link => 'http://www.facebook.com/jbloggs',
      :username => 'jbloggs',
      :location => { :id => '123456789', :name => 'Palo Alto, California' },
      :gender => 'male',
      :email => '[email protected]',
      :timezone => -8,
      :locale => 'en_US',
      :verified => true,
      :updated_time => '2011-11-11T06:21:03+0000'
    }
  }
}

We provide our email(!), timezone and even location! Actually I was not aware of that. I thought facebook provides just basic info like name and photo.

We should think twice before we sign in to some website with OAuth. Especially due to providing our email address. Malicious websites can use it for sending spam.


Tech Ed North America 2013

In June 3 – 6, there was Tech Ed North America conference in New Orleans. The videos are available on channel9. I have watched a few very good sessions, and I can recommend you especially 5 of them.

Live Demonstration: Hacker Tools You Should Know and Worry About (Hasain Alshakarti and Marcus Murray)

This is my favourite session. You can learn about various security tools. They show things we should be aware of.

APTs: Cybercrime, Cyber Attacks, Warfare and Threats Exposed (Hasain Alshakarti and Marcus Murray)

Another session. Now in enterprise point of view. They discussed techniques how companies are getting hacked.

Adventures in Underland: What Passwords Do When No One Is Watching (Paula Januszkiewicz)

This session shows that our passwords are not 100% secure when stored in Windows.

Hackers (Not) Halted (Paula Januszkiewicz)

Session about most common mistakes, which can be used to hack you.

Microsoft ASP.NET, Web, and Cloud Tools Preview (Damian Edwards)

General overview and new enchancements of Web Tools and Features in .NET.

There was NDC conference in Oslo, in last week (June 12-14), but Videos are not available yet. The next big thing is build 2013 in San Francisco, June 26 – 28.