Issue
Will exposing app specific Facebook friend user IDs in client side source code expose my app/my apps users to any exploitable security/spam risks?
Example where data is exposed:
I'm requesting the list of facebook friends using the user_friends permission with the graph API. This list returns a name and app specific user ID for each friend.
I allow a user to select a friend which will send them an in-app invite.
The best way to identify this friend is the app specific user ID which means it will appear in my client side source code.
Exploits I can think of:
Using a sending message dialog link (https://developers.facebook.com/docs/sharing/web#sendingmessages), might allow someone to use my app id (which can be easily found by logging in via facebook) and an exposed user ID to prepopulate the to field to pretend to be my app trying to spam their friends.
Workaround to exposing data:
Store the friend list in a db table and generate a new harmless ID for each relationship.
I'd rather not do this as I'll have to update this list every time as friend lists will change regularly.
Solution
It is perfectly safe to expose those App Scoped IDs on the client. You can only prepopulate the send dialog with one single ID, and the ID must be a friend of yours. So you can´t really exploit it.
IDs are safe in general (App ID, User ID, ...). You only need to be careful with your App Secret and Access Tokens.
Answered By - andyrandy
Posts
0 Comments:
Post a Comment
Note: Only a member of this blog may post a comment.