Vulnerabilities / Threats
06:47 PM
Connect Directly

Facebook Plans Encryption To Fix Privacy

Developers have been asked to review a proposal to encrypt information passed through Facebook application URLs.

Responding to concerns raised earlier this week that popular Facebook apps expose user identification numbers (UIDs), Facebook on Thursday proposed addressing the issue through encryption.

Facebook engineer Mike Vernal published the proposal on the Facebook developer's blog, noting that Facebook hopes to lay the groundwork to implement encrypted UIDs over the next few weeks and then to add support for encryption following community feedback. A specific migration timeline will be announced later.

The issue is that certain Facebook apps transmit UID numbers, which may be used to identify Facebook users and link actions at other Web sites to a Facebook identity. When a Facebook user requests a Web page with images or other resources, the user's browser may send HTTP header information that includes the URL of the Web page. For a particular type of Facebook Platform application, an iframe-based canvas application that includes a third-party iframe or resource, the HTTP Referrer header may include the user's UID number once the user has authorized the application.

The UID number is used to personalize Web pages. It's what allows Web pages to include information about one's friends. Unfortunately, it can also compromise user privacy, particularly if the user is not aware that his or her UID is being shared.

Vernal says that while some Facebook developers have been employing page redirection or "double framing" to remove UIDs from URLs, Facebook wants to develop a better fix for the problem.

The change will prevent the accidental sharing of UIDs through the Referer header; it won't stop deliberate UID sharing that violates Facebook's developer rules.

It also won't make HTTP Referer headers less prone to exposing information related to other Web sites or Web applications.

"While this proposal will address the inadvertent sharing of this information on Facebook, the underlying issue of data sharing via HTTP headers is a Web-wide problem," wrote Vernal. "We look forward to working with the Web standards community and browser vendors over the coming months to help address this issue."

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
According to industry estimates, about a million new IT security jobs will be created in the next two years but there aren't enough skilled professionals to fill them. On top of that, there isn't necessarily a clear path to a career in security. Dark Reading Executive Editor Kelly Jackson Higgins hosts guests Carson Sweet, co-founder and CTO of CloudPassage, which published a shocking study of the security gap in top US undergrad computer science programs, and Rodney Petersen, head of NIST's new National Initiative for Cybersecurity Education.