Home/ Questions/Q 7696959
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-31T21:54:05+00:00

Using JavaScript SDK, it is possible to wall post with user’s consent. Since It

  • 0

Using JavaScript SDK, it is possible to wall post with user’s consent. Since It can be done entirely on client side, how to prevent someone to post something to their wall on behalf of my application, tampering with fields the fields like “picture”, “link”, “caption” and “description”?

Edit for the bounty:

Bragging is an essential part of any game, including online games. In my web game I want to enable users to brag on Facebook when they win, but I don’t want them to be able to forge some post and send via my application, what would allow them to brag without actually winning. They may only publish something via my application if I actually allow them to do (I can only imagine some way to ensure this by using some authenticated server side API).

Facebook’s Feed Dialog allows developers to prompt users if they want to publish something in their wall, and I well could use it to publish the user’s winning story. The problem is that that API is entirely client-side, and can be used via Javascript SDK or just by forging an URL. I was able to forge a post in the name of my application by just filling the fields in an URL, like this given example:

https://www.facebook.com/dialog/feed?
  app_id=123050457758183&
  link=https://developers.facebook.com/docs/reference/dialogs/&
  picture=http://fbrell.com/f8.jpg&
  name=Facebook%20Dialogs&
  caption=Reference%20Documentation&
  description=Using%20Dialogs%20to%20interact%20with%20users.&
  redirect_uri=http://www.example.com/response

The problem is that I was unable to forge such request for an existing application, like Robot Unicorn Attack : Evolution. Thus, either 1) I don’t know how to forge a request to this application and that is still possible and there is no safety or 2) it is possible to prevent client side exploitation of the Facebook’s API, and I don’t know how to do this on my application.

So, for the bounty sake, I will consider a proper answer either 1) some proof that it is always possible to forge a post on behalf of some application, and by that I would require a way to post whatever I want on behalf of Robot Unicorn Attack : Evolution, or 2) a way to prevent users to forge feed posts on behalf of my application, in a way I can no longer do it without having server-side only information.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    If you want to post anything on behalf of Robot Unicorn Attack : Evolution do the following:

    0) Make sure you have added the app.

    1) Using Chrome, go to https://s.adultswim.com/games3/fb-game-files/robotunicornattackevolution-sec/index.html (this URL was located by inspecting the action of the form tag above the iframe of the content on the canvas page)

    2) Open Developer Tools

    3) In the Console paste this:

    FB.ui({
    method: 'feed',
    name: 'There is no security',
    link: 'https://developers.facebook.com/docs/reference/dialogs/',
    picture: 'http://fbrell.com/f8.jpg',
    caption: 'I can post whatever i want',
    description: 'Dialogs provide a simple, consistent interface for applications to interface with users.'
  },
  function(response) {
    if (response && response.post_id) {
      alert('Post was published.');
    } else {
      alert('Post was not published.');
    }
  });

    4) Hit enter and see the dialog pop up on the page

    • 0