I recieved the following message from Facebook today and I really have no idea how to fix whatever they are talking about - any help would be greatly appreciated - i'm currently using Facebook connect on my site.
-----
Dear Developer, Our automated systems have detected that you may be inadvertently allowing authentication data to be passed to 3rd parties. Allowing user ids and access tokens to be passed to 3rd parties, even inadvertently, could allow these 3rd parties to access the data the user made available to your site. This violates our policies and undermines user trust in your site and Facebook Platform. In every case that we have examined, this information is passed via the HTTP Referer Header by the user's browser. This can happen when using our legacy authentication system and including <iframe>, <img> or <script> content from 3rd parties in the page that receives authentication data from Facebook. Our legacy mechanism passes authentication information in the URL query string which, if handled incorrectly, can be passed to 3rd parties by the browser. Our current OAuth 2.0 authentication system, released over a year ago, passes this information in the URL fragment, which is not passed to 3rd parties by the browser. Please ensure that you are not allowing this data to be passed immediately. Accessing your site as a test user while running a HTTP proxy/monitor like Charles or Fiddler is the best way to determine if you are allowing this information to be passed. If you discover the issue, you can do one of two things: 1. Migrate your site to use our OAuth 2.0 authentication system. We are requiring all apps and sites to update to this mechanism by Sept. 1, 2011. Migrating now will address this issue and ensure that you are one of the first to meet the deadline. For more details, please see our Authentication Guide. 2. Create and use an interstitial page to remove the authentication data before redirecting to your page with 3rd party content. This approach is used by many of our largest developers today (although they are all migrating to OAuth 2.0 shortly). This is a simple and straightforwardchange that should have minimal impact on your site. For more details on this approach, see our Legacy Connect Auth doc. Because of the importance of ensuring user trust and privacy, we are asking you to complete one of the above steps in the next 48 hours. If you fail to do so, your site may be subject to one of the enforcement actions outlined in our policies. If you have any questions or believe you have received this message in error, please contact us. Facebook Developer Relations
------
Thanks |
info@elgg.org
Security issues should be reported to security@elgg.org!
©2014 the Elgg Foundation
Elgg is a registered trademark of Thematic Networks.
Cover image by RaĆ¼l Utrera is used under Creative Commons license.
Icons by Flaticon and FontAwesome.
- Cash@costelloc
Cash - 0 likes
- Deep Shah@deep5187
Deep Shah - 0 likes
- Mark Bridges@MisterBridges
Mark Bridges - 0 likes
- Nick@Ltnclark
Nick - 0 likes
- Mark Bridges@MisterBridges
Mark Bridges - 0 likes
- Nick@Ltnclark
Nick - 0 likes
- survtime@survtime
survtime - 0 likes
- Nick@Ltnclark
Nick - 0 likes
You must log in to post replies.If you're not a developer, you cannot fix it. Facebook has a new API and a plugin has to be written to use it (and be backward compatible with the old Facebook connect plugin). There has been some work done on this but I don't know the status of it.
Another option mentioned there is #2 and a developer could extend the current Facebook plugin to do this.
I think just replacing "facebook.php" in the folder "mod/fbconnect/models" with the latest php facebook sdk which you can find here should solve the issue.
The version of Facebook Connect I released was rewritten by Kevin Jardine for the new API, so it should work - http://community.elgg.org/pg/plugins/project/595745/developer/MisterBridges/facebook-connect-for-173
@Mark. I am using the facebook connect 1.7.3 that you mentioned and just got the same email from facebook. Not sure how to fix this yet...
I just updated the facebook.php. Not sure though.
@Nick, strange... I just logged into my site with Facebook and it worked fine, perhaps Kevin could shed some light on the issue?
@Mark, Sorry that was poorly explained. The plugin is working fine. I have updated the facebook.php file and is still working fine. However, I did get the same email from Facebook today stating "fix within 48hours etc". I am not sure if updating the facebook.php file fixes this legacy authentication issue of if it is only a perceived issue on Facebook's behalf. Either way they sent me an email and it is their policy, so if anyone has a fix, please yell out.
Thanks for taking the time to respond.
@Mark Bridges - I am actually using http://community.elgg.org/pg/plugins/project/595745/developer/MisterBridges/facebook-connect-for-173 right now but I still rx'd the notice from Facebook. Regardless, thank you for your comment.
@Deep Shah - i've changed the Facebook.php file, thank you for sharing the link.
@Nick - Let us know what happens, i'll do the same.
Cheers!
As you can see, it is about 8 days since the original post. I have updated the facebook.php file as stated above and have not had my site login blocked. I don't know if this fixed the problem or if Facebook haven't gotten around to blocking it yet. Hope it is the former.