As you all know recent changes in privacy issues made Facebook to change their basic API and added some security concerns. From my best practise, most of the old applications are safe, but you will be in trouble when you create new application. By default you cannot access user’s photos, profile pictures , albums etc. If you continue with old REST API, you may face this problem. You will get an empty array or json string when you call photos.getAlbums function.

If you test these functions from Facebook Console Tool:

http://developers.facebook.com/docs/reference/rest/photos.getAlbums

It returns real value when you select old applications and returns empty string [] if you select your newly created Facebook app.

To get all those support, you need to use new Graph API

But if you follow the same steps mentioned in that official document, you will still get this empty string problem. Because, in the basic authentication call, there is no permission type is mentioned. You can only see a basic message with Allow or Deny button.

According to that document, as the part of authentication, you need to call this url with your client id and redirect url and it returns an access_token after a #

https://graph.facebook.com/oauth/authorize?
    client_id=...&
    redirect_uri=http://www.example.com/oauth_redirect

You need to use this access_token to request all other functions, eg:

https://graph.facebook.com/me?access_token=...

This call will work for most of the requests except photos or albums. So the mistake in these calls are the permission.

Here is the correction:

https://graph.facebook.com/oauth/authorize?
    client_id=...&
    redirect_uri=http://www.example.com/oauth_redirect&perms=publish_stream,user_photos

Here we pass perms parameter to set different permission and if you use the access_token after this request , you can access user photos and albums. You can see another permission popup with album and photo access.

Here is the list of such extended permissions in Facebook.

This is the problem when you use new Javascript SDK for graph API, or when you try to integrate these API in PHP or PERL or any other Server side scripting language from the scratch.

If you use new Facebook PHP Graph SDK , you cannot get these problems, but there is still another hidden problem if you continue testing code by the example provided by them.

It is my next POST . See you at there

Thanks

Sajith

Tags: album, albums, api, documentation, empty string, error, facebook, featured, functions, graph, graph api, help, missing, permission, photos, php, privacy, problem, rest, rest api, security

If you are using https pages or some of the pages (payment pages etc) in your website, keep the following in your mind. In some browsers especially IE shows warning of non-secured content in secured page. This cause user the feeling that the website is not secured.

1. Use relative url always. Relative URL means those without starting with http:// or https://, instead use relative url.
2. If you need to use full url, use dynamic base name in with your programming language.For example in PHP, define BASE_URL = http://www.yoursite.com and use this variable in every links and forms. Change the BASE_URL value between http and https depending upon the protocol ($_SERVER['HTTP_HOST'])
3. Check  inside javascript function whether it is calling any non-secured url. (For example, sometime you may use full url inside Javascript). Check using if condition to decide, which protocol to use, like what Google Analytic does.
   eg:  (“https:” == document.location.protocol) ? “https://ssl.” : “http://www.”);
4. Check if there is any flash content which tries to load data from non-secured url. There is a chance to load some xml configuration files using http protocol
5. Also change the codebase parameter value in object tag (flash or other media) whether it is pointing http or https url. There is a chance for this url in flash content.
   codebase=”http://download.macromedia.com/pub/shockwave /cabs/flash/swflash.cab#version=9,0,115,0″
   Change this url to https://downoad…
   
   
6. If you are using facebook connect or such integration, check the javascript initialisation code.
   FB.init(“78bc8ffb87c41eabb6395a2045c76021″, “/xd_receiver.htm“);
   Inside the xd_receiver.htm file, the cross platform callback will be non secured url (http)
   Change this to xd_reciver_ssl.htm and use new code, which is available in Facebook documentation

Tools like Fiddler can be used to check which url is non-secured. Firebug cannot show all non-secure connections. If the above steps do not solve your problem, try disabling javascript files one by one to point out which call is making the problem. Also try this by disabling Flash objects one by one.

Good luck guys

Cheers

Sajith

Tags: alert, Browser, featured, http, https, https warning, ie, non-secure content, protocol, safety, security, warning

Guess what will happen if you add an image like below in your html page:

<img src=”http://mail.google.com/mail/?logout&hl=en”  />

It does not appear in page, but your google account in another window or another tab will get logoff. Now an external website could logout you from your gmail or orkut.

IF you coded your website to delete a photo or object from the website, like this: www.domainname.com/photos/delete?id=221, you may think , since you are checking user authentication at server side, no one else can delete your file. But what if you are logged in one tab and in the second tab, you are loading another website (of hacker or attacker), he can place lots of hidden images with src = www.domainname.com/photos/delete?id=22 ( he can try with ids from 0 to 1000 or 10,000, and anyone of them may be your object)

Here the authentication is okay , because the cookies and session is already set in another tab, and it affects (update or delete) your content.

Those who think , I use POST method , so it is safe. Sorry, you are wrong. A javascript can also simulate a post method, and by using this, an external website can update your form (For example they can run a form submission for changing the email which you registered with and later they can reset password to hack your account)

It won’t happens if you use captcha. But for all forms it is very hard to use CAPTCHA everywhere. You can solve this attack using additional parameter (some string combination which is generated randomly) along with GET url or POST form submission.

For example, check the url to delete a mail in gmail.

http://mail.google.com/mail/?ui=2&ik=42e598c952&at=xn3j2ufyx273muje67ot1fsxsnbmnl&
view=up&act=tr&rt=j&search=inbox

There is some extra string alone with useful information as parameter. So an external application cannot predict the exact url to delete a particular mail, so img with src= url fails here.

Same thing is also needed in POST method. Add one hidden field for random string and check the string before updating into database from Server.

This problem is called CSRF – Cross Site Request Forgery

Thanks
Sajith

Tags: cookie, csrf, get, gmail, hack, hacker, post, safety, security, session, web application