gravatar

Inside Facebook

Inside Facebook

Following Security Problem, Facebook Moves to OAuth 2.0, HTTPS and SSL Certificates

Posted: 10 May 2011 10:49 PM PDT

Facebook is telling developers today to plan to migrate to newer security standards on the platform — a mostly-planned migration whose roadmap was accelerated because of a data leak discovered by security firm Symantec. Developers will need to migrate to the OAuth 2.0 open standard by September 1 of this year, and they’ll need to have obtained an SSL certificate (not a straightforward process) by October 1.

The security issue was that some applications that used an older authentication system could have shared access to users with third parties, which is conceptually similar to the leaked user identity numbers issue that got so much attention last fall. In this case, older Facebook iframe-based applications could first ask users for permission for actions such as accessing friends lists or posting to the user’s profile walls, as well as the ability to access their profile when they were offline. Facebook would then send back a permission token to the app, in an insecure format that might then be shared (intentionally or not) with others, such as with advertising networks to use for better ad targeting.

It’s not clear what the scope of the problem is. Symantec, which sells security software and so has a stake in there being problems to solve, estimates that more than 100,000 applications had this problem as of last month. It’s not clear how many apps have been leaking tokens, nor for how long.

In response, Facebook reiterates a variety of security steps it is taking, and it also says it has not seen evidence of the tokens being used in a way that violates its policies (which don’t allow third parties reselling data).

The real-world implications of the issue appear to be this: a subset of users who use apps (some users don’t), who also used apps that were leaking data, may have provided a set of permissions that possibly exposed information and access points to unknown parties. So, without more evidence, probably not that terrible. Or as security researcher Joey Tyson summed up earlier today: “Facebook cred leak: 1) Yrs old, 2) not passwords, 3) not OAuth-specific, 3) hard to fix, 4) has caveats, 5) FB monitors, 6) fix in progress.”

In any case, here’s the developer roadmap for the changes, via the company developer blog post today:

  • July 1: Updates to the PHP and JS SDKs available that use OAuth 2.0 and have new cookie format (without access token).
  • September 1: All apps must migrate to OAuth 2.0 and expect an encrypted access token.
  • October 1: All Canvas apps must process signed_request (fb_sig will be removed) and obtain an SSL certificate (unless you are in Sandbox mode). This will ensure that users browsing Facebook over HTTPS will have a great experience over a secure connection.

Facebook Seeks Exemption From Political Campaign Disclosure Regulations for Its Ads

Posted: 10 May 2011 03:52 PM PDT

Facebook is asking the Federal Election Commission to declare its sidebar ads exempt from campaign regulations that require disclosure of who paid for and authorized campaign ads, reports Talking Points Memo. Facebook is citing the FEC’s “small items” and “impractical” exceptions because its ads are too small to contain content and the disclosure. It is also noting an exemption Google obtained for search ads in October 2011.

Since Facebook ads are similarly small in size to Google search ads, and its argument that increasing ad size to accomodate disclosure would disrupt business and the user experience, we believe the FEC will grant Facebook an exemption.

The Federal Election Campaign Act and section 110.11 of the Commission’s regulations require a disclaimer of the political committee that purchased a campaign ad. Facebook’s main points from the 14-page letter it sent to the FEC asking for exemption for ads on the site are:

  • The Commission’s has consistently interpreted campaign rules to permit the use of new technology
  • Facebook’s ads are small enough that they should be given exemption under the “small items” and “impractical” because disclosure alone could take up the entirety or majority of a Facebook ad or Sponsored Story
  • Facebook has purposefully opted for smaller ads as not to disrupt the social experience, meaning increasing their size to permit disclosure disrupt business and strategy
  • 160-character text messages are exempt, Facebook ads also have a text limit of 160 characters
  • Google search ads that are of a similar size to Facebook ads were made exempt
  • Ads on bumper stickers, pens, buttons, skywriting and apparel are exempt because they are “small items” and disclosure there would be impractical
  • The internet’s low cost of entry allows groups with “limited funds to maintain a voice on the internet”
  • Exceptions of these sort allow politicians to reach young voters that can be difficult to contact through traditional means, helping stimulate and empower them in the political process
  • Facebook is not requesting an exemption for all online ads

With precedent and general spirit of the law favoring exemption for Facebook ads, it would make sense for the FEC to approve the request. This would help Facebook continue to grow in importance to the political landscape without changing the unobtrusive nature of Facebook ads that preserve the user experience while funding the site.

Disney, Omar ibn al-Khattab, Shakira, FC Barcelona, Converse and More on This Week’s Top 20 Growing Facebook Pages

Posted: 10 May 2011 08:30 AM PDT

Interesting list this week of the top 20 fastest growing Facebook Pages, topped as it was by an important figure in Islam, rounded out by the usual music and media suspects, football (soccer) Pages and brands. We measure the growth of the Pages, which grew from between 415,700 and 718,500 Likes, with our PageData tool.

Top Gainers This Week

Pages Gain Gain,%
1. عمر ابن الخطاب¨ 718,508 +718,508 +0.0%
2. Facebook 39,919,219 +644,432 +2%
3. Shakira 28,612,669 +624,935 +2%
4. Disney 22,447,307 +621,316 +3%
5. Bruno Mars 4,938,562 +580,010 +13%
6. Rihanna 32,245,767 +579,908 +2%
7. Harry Potter 22,840,163 +577,651 +3%
8. Eminem 35,508,247 +541,834 +2%
9. Converse 16,062,159 +511,081 +3%
10. YouTube 32,900,328 +494,971 +2%
11. MTV 21,090,310 +494,880 +2%
12. Cristiano Ronaldo 25,456,710 +467,554 +2%
13. Texas Hold’em Poker 42,274,198 +461,390 +1%
14. Lady Gaga 33,699,659 +455,883 +1%
15. The Simpsons 25,886,683 +452,690 +2%
16. FC Barcelona 14,383,898 +442,778 +3%
17. Will Smith 17,496,871 +440,513 +3%
18. Manchester United 13,333,215 +436,874 +3%
19. Barack Obama 20,179,013 +422,131 +2%
20. Katy Perry 24,272,125 +415,682 +2%

As mentioned, the top Page on our list this week was for عمر ابن الخطاب¨, or Omar ibn al-Khattab, one of the key leaders of early Islam. The Page grew its entirety this week, 718,500 Likes. Another prominent figure, United States President Barack Obama, also made the list with 422,100 new Likes, probably just because he's been in the news a lot lately as his presidential campaign for 2012 has begun. All-around celebrity Will Smith‘s Page grew by 440,500 without any updates at all this week.

A variety of big name brands were on our list this week, too. Facebook's Page grew by 644,400 Likes, Converse's Page by 511,100 Likes, likely because they are both very active with their inviting status updates and they are currently running a tab promotion to give away 15 free iTunes downloads to fans. YouTube's Page added about 495,000 Likes while Texas Hold'em Poker added 461,400.

Media companies and outlets were big on the list. Disney's Page added 621,300 Likes in part by touting its Likes across franchises on Facebook, encouraging fans to Like its Page and publishing photos from classic films almost daily. The "Harry Potter" movie Page grew by 577,700 Likes; this Page is constantly promoting the next film, and movie-related news and promotions. MTV's Page grew by 494,900 Likes by promoting its programming and other content very actively. "The Simpsons" Page grew by 452,700 Likes by promoting its episodes.

Then, of course, there was music.

Shakira's Page added 624,900 Likes while she promotes her music tour. Bruno Mars grew his Page by 580,000 Likes by promoting concerts as well. Rihanna's 579,900 Likes may have been attracted by her new video premiere while Eminem's Page with 541,300 Likes touted a new single in which he makes an appearance. Lady Gaga's 455,900 new Likes could have been drawn in by the release of her new singles and video while Katy Perry's 415,700 new Likes came during a time when she promoted her concerts and coverage in the press.

Finally, there was football (soccer). Cristiano Ronaldo's Page added 467,600 Likes as he updated fans on his games and football-related activities. FC Barcelona added 442,800 Likes and Manchester United 436,900. All three Pages ask fans on a welcome tab to Like the Page.

New Facebook Platform Industry Hires: BranchOut, Involver, Vitrue and Wildfire

Posted: 10 May 2011 08:00 AM PDT

Companies appear to be hiring technical and sales positions this week in our look at hires across the Facebook platform.

If your company is hiring new people or making a notable promotion, please let us know. Email mail (at) insidefacebook (dot) com, and we'll get it into next week's post. Also, please note that information about most new hires, below, comes directly from company updates from LinkedIn.

Looking for new opportunities? Check out the Inside Network Job Board, which shows the latest openings at leading companies in the industry.

Here's this week's list of hires:

BranchOut

  • Taylor Raquer, Marketing Associate – formerly at student at the University of Washington.

Involver

  • Jed Wheeler, Interface Engineer/Technical Trainer – previously a technical trainer at Academy X and designer at CircleAlpha Designers.

Vitrue

  • Eric Guerin, UI Engineer – formerly a software engineer at EADOC.

Wildfire

  • Tom Callen, Sales Executive – previously an agent at New York Life Insurance Company.
  • Vincent Ng, Account Executive – formerly worked as a Sales Associate at the company.
  • Scott Schroeder, Sales Associate – previously an analyst Cohen Financial.

onsdag den 11. maj 2011 at 07.40