security - Is this a valid way to hack into Facebook applications? (and possibly Facebook)? -


  1. Your friend joins Facebook and "remembers me".
  2. Facebook makes a cookie
  3. Your friend goes to the bathroom.
  4. You steal your friend's cookies from your browser and its data.
  5. You go home and make cookies with that data.

Facebook is not affiliated with cookies + IP , then you can access Facebook page. EDIT: True, Facebook does not check for IP.

Now, let's look at Facebook Connect. This is the key

  1. The user "connects" by pushing the button.
  2. Sets a cookie on the Facebook browser, which your app backend reads to determine if the user is certified or not. After this, you associate this FB-cookie-AD with the user in your system.

If your system does not check for IP , then theoretically using cookies allows you to enter the application that uses Facebook Connect. You can then get access to the application,

Is it valid to say that you should check the IP when connecting Facebook to add security level? But if you do this, then some people have commented about IP spoofing.

@ All who say "physical access":

Yes, I agree that the concept of physical access makes this question trivial, though it is a hole about APPLICATION. Should be aware in Of course, the Facebook profile / useless application will not keep much ... but what if the application was a banking system? All I'm saying is that if Citibank or Bank of America has used "Facebook Connect" (which would be stupid but we assume), then this method would prove to be an easy way to access their account.

Therefore, Facebook Connect should not be used with "important" right?

Another option is that, after your friend goes to the bathroom, you can steal your wallet To give bribe to your girlfriend, you have cash in giving your Facebook password, thus, all of the applications that use Facebook Connect are projected.


Comments

Popular posts from this blog

MySql variables and php -

url rewriting - How to implement the returnurl like SO in PHP? -

Which Python client library should I use for CouchdB? -