1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Facebook's new Registration Tool - HUGE security implications

Discussion in 'FaceBook' started by phph5, Dec 17, 2010.

  1. phph5

    phph5 Regular Member

    Joined:
    Aug 7, 2010
    Messages:
    225
    Likes Received:
    42
    I decided to start a separate thread since no one mentioned this in the other thread about recent changes Facebook rolled out, and this is huge.

    Here's the news:

    http://developers.facebook.com/blog/post/440

    It's about the possibily to include a pre-filled registration form on your web site, allowing users to register just with the click of a button, providing you with presumably correct info (pulled directly from their Facebook profile). Now - this is a great feature and I'm sure many web sites would benefit and see a nice increase in their daily registrations.

    However, there's another side to this cool new feature: it's completely open to clickjacking attacks. Until now, we were able to "steal" cheap likes to pages by hiding the Like button under images of hot girls.

    Well, now we can use this very same technique, but instead of a cheap like, we will get our visitor's real name, birth date, email address, gender, and location.

    Just with a single click ANYWHERE on ANY page outside and inside Facebook.

    What can I say... Facebook just explosed our info to the world even more. Now we are at risk of exposing our identity with every click we do, and we do thousands each day.

    Privacy? Facebook doesn't give a shit about our privacy. They just want to be everywhere on the web. The problem is that they carry our personal data with them....
     
    • Thanks Thanks x 2
  2. locknload007

    locknload007 Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 14, 2010
    Messages:
    475
    Likes Received:
    67
    Basically what you are saying is, if they click anywhere on your site, you will automatically register them, if they are a FB user, maybe even only if they are logged in.

    So, instead of clickjacking a like, you are clickjacking a registration.
     
  3. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    registerjacking.. brilliant fb, you have done it again :confused:

    They could have done little things to make this more secure while only sacrifcing a miniscule amount of functionality.. but DAMMIT they really just don't give a fuck about people's privacy do they?
     
  4. ``Yousef

    ``Yousef Power Member

    Joined:
    Oct 16, 2009
    Messages:
    534
    Likes Received:
    286
    Location:
    Cooking up the medicine.
    Home Page:
    Nope, although Mark happily sits there at conferences and when faced with privacy questions leans towards user enabled/disabled privacy ability. However, I think it's also clear that while they give you the option to keep your privacy safe, they don't really want you doing it.

    @OP: Hasn't this already kind of been done with Facebook connect? I don't mean the registration form, but more along the lines of Facebook / external website interaction which is more then just a like or share. What's the benefit for Facebook on this one?

    Ignore me if that's a stupid question, it's 2am and I'm tired as fuck /peace.
     
  5. LiamLC

    LiamLC Regular Member

    Joined:
    Nov 1, 2009
    Messages:
    408
    Likes Received:
    282
    Occupation:
    Student/Webmaster
    Location:
    UNTRACEABLE...
    wow that never even occurred to me when I heard about this. Thanks
     
  6. phph5

    phph5 Regular Member

    Joined:
    Aug 7, 2010
    Messages:
    225
    Likes Received:
    42
    I did some further investigation and it seems like they have taken some steps to improve security - once you click on the Register button (and this click can be easily hijacked), another window opens which tells you that you are about to register with "Application name" where you need to press a Continue button. Only after you press that button you will provide your details to the site you are registering to.

    This second window has frame busting protection which makes somewhat protected, but not entirely. There are still security holes, but I will not go into details.
     
    • Thanks Thanks x 1
  7. MakeLoot

    MakeLoot Registered Member

    Joined:
    Dec 14, 2010
    Messages:
    52
    Likes Received:
    2
    that's why they released it, to see what methods people are using the "harm" their system to ensure they have their dev's keep an eye on the techniques used to infiltrate.
    it is almost impossible to prevent click jacking but they can do a number of things to monitor click jacks and weed out suspicious accounts and their ips and other data fb collects.
     
  8. facebookdude

    facebookdude Elite Member

    Joined:
    Feb 28, 2010
    Messages:
    1,506
    Likes Received:
    2,490
    I always knew they were gonna do this. They want one login for the whole internet. So instead of a members area in your website they login through fb to get into it.
     
  9. swipetek

    swipetek Registered Member

    Joined:
    Sep 15, 2008
    Messages:
    54
    Likes Received:
    30
    It's funny though.. People complaining about security. If you want security, don't put yourself all over the internet. Once you release your data to a LARGE business, you might as well kiss it good bye.
     
  10. oinky222

    oinky222 Regular Member

    Joined:
    Oct 2, 2010
    Messages:
    389
    Likes Received:
    175
    someone should move this thread to the VIP section. ive heard that Facebook staff regularly browse these forums and as soon as they read this, it may be changed
     
  11. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Ahh ok, earlier today they weren't breaking out, it was just one click and registered. I guess even FB is not that stupid.

    Yea it would be good if you didn't mention such things at all..
     
  12. phph5

    phph5 Regular Member

    Joined:
    Aug 7, 2010
    Messages:
    225
    Likes Received:
    42
    The second step definitely hurts user experience (and basically makes the new registration tool as clumsy as the regular Connect for external websites, whereas the goal was to streamline this exact feature), but I guess they were forced to implement it due to the blatantly obvious security risk involved.
     
  13. xbotx

    xbotx Newbie

    Joined:
    Aug 1, 2010
    Messages:
    18
    Likes Received:
    2
    Google actually already have this - however, secretly, the login for your google account tracks everything you search and a hell of a lot of what you do! It also does bias local search, also another huge piece of spyware - Google Chrome!
     
  14. Grizzy

    Grizzy Senior Member

    Joined:
    Nov 11, 2008
    Messages:
    919
    Likes Received:
    999
    Haha yeah when I first tried that iframe out earlier today I couldn't believe my eyes.

    I want to test this out on a wh site and see if people are more likely to "register" then connect, but at first glance I'm not sure if it's a good replacement for connect on websites. Even with a "basic connect" you get a little blip in the newsfeed, and I haven't seen that so far with this. I'm also curious to see what they say about this in the platform policies, as there are no new revisions yet.. Wait and see I guess.
     
  15. moneyrocks

    moneyrocks Supreme Member

    Joined:
    May 22, 2009
    Messages:
    1,205
    Likes Received:
    135
    seems like we all are going to make some more money from this thing before they know what is happening lets get ready to make more money guysss....
     
  16. frngdrn

    frngdrn Regular Member

    Joined:
    Jun 15, 2010
    Messages:
    234
    Likes Received:
    20