Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
When user logs into facebook using the popup displayed by FB.login() call, JS SDK plants to my domain a cookie containing oauth access_token in plain text. Then, this cookie is being sent to my server with every subsequent request – and it’s pretty obvious that not every request uses https.
Isn’t this a security problem? If so, then how to solve it?
An attacker, who is able to sniff the network traffic (e. g. a wireless lan), can read the cookie. And pretend to be the person it was created for.
This is not really an issue because the same attack works on the facebook pages itself: Only the username/password – authentication is done via https. All following pages use unencrypted http, which contain the cookie.
There is an easy-to-use Firefox extension which allows steeling of cookies, if you are able to sniff the network traffic: http://codebutler.com/firesheep
PS: stackoverflow.com is vulnerable, too.