Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Removes Firewall from Applications

Posted by Zonk on from the some-of-those-things-are-pretty-cool dept.

NewsCloud writes "Last week, Facebook quietly removed sign-in restrictions that previously hid third party applications from the public Web. In other words, Facebook now allows its third party applications to be viewable on the Web by anonymous visitors and indexable by search engines. Web developers can now build an application using Facebook's platform usable by anyone on the Internet — not just Facebook members (e.g. the Lending Library). In doing so, developers can leverage Facebook's login and registration as well its other platform services, which are becoming increasingly substantial. Facebook may be trying to gain advantage as a universal authentication gateway for public Web applications. If successful, it could further hamper efforts to establish OpenID. This will also help the company break out of its earlier AOL-like walled-garden strategy."

25 of 72 comments (clear)

  1. And... by owlnation · · Score: 5, Funny

    Facebook users organize a mass protest against this change in 5... 4... 3... 2... 1...

    1. Re:And... by Anonymous Coward · · Score: 2, Funny

      By 'organize a mass protest', I assume you mean 'create another "Facebook sucks" group'?

  2. Opens security Nightmare to web by jdh41 · · Score: 2, Interesting

    Now we just need one or two careless fools coding myfirstfacebookapp to make a mistake and people can cleanup on information collection...

    1. Re:Opens security Nightmare to web by Tim+Browse · · Score: 4, Interesting

      Given my experience of coding a facebook app, you have to guess at so much information because it's so poorly documented (esp. the security/authentication stuff) that this is extremely likely.

  3. Scared of OpenSocial? by neuro.slug · · Score: 4, Interesting

    Perhaps Facebook (backed by Microsoft $) is now looking to get its apps in other places in order to compete with Google's OpenSocial, maybe?

    1. Re:Scared of OpenSocial? by Shemmie · · Score: 2, Interesting

      Add to that CardSpace. Facebook allowing the use of CardSpace for sign-in would give Microsoft a hell of a leg-up in the Social Login game.

  4. Security implications. by palegray.net · · Score: 4, Insightful

    To hell with the analogy to AOL's "walled garden", I envision some more akin to a burning garden if a major security incident were to occur after widespread adoption of this platform for single-signon functionality. This is the same reason I have always been opposed to Microsoft's ambitions for using their Passport system for wide authentication; my objections had very little to do with my political opinion of Microsoft (which isn't terribly high, but that's beside the point). Diversity in any system is good for competition, and limits the damage any one exploit can cause.

    --
    512 MB RAM, 20 GB disk, 200 GB transfer, five datacenters. $19.95/month.
  5. Security of applications by Rinisari · · Score: 4, Insightful

    Does this strategy protect the Facebook users' data from being seen by non-Facebook users at the Facebook API level? By this, I mean that Joe Internet User cannot see my data on the Facebook application, and that Facebook is held liable for this, not the application developer? If this cannot be guaranteed, it looks like I might be removing most of my applications, no matter how useful they may be. I trust Facebook a whole lot more than I trust individual people.

    --
    Colin Dean Go a year without DRM
    1. Re:Security of applications by mozumder · · Score: 2, Insightful

      Applications see people (and their data) that approve the applications.

      So, if a person approves an application, then that application can go ahead and broadcast to the world that person's data.

    2. Re:Security of applications by 5of0 · · Score: 2, Informative

      Does this strategy protect the Facebook users' data from being seen by non-Facebook users at the Facebook API level? By this, I mean that Joe Internet User cannot see my data on the Facebook application, and that Facebook is held liable for this, not the application developer? If this cannot be guaranteed, it looks like I might be removing most of my applications, no matter how useful they may be. I trust Facebook a whole lot more than I trust individual people.
      Um, no. The other replies are woefully errant and FUD. From the announcement (login may be required?):

      Of course, we're concerned about our users' privacy, and so the only user-specific data available on public canvas pages will be first name and profile picture (and then only if the user's profile picture is already publicly searchable). But you, the application developer, need not worry; FBML tags will automatically handle privacy rules for you.
      So no. And no, I as a FB developer can't get to the data anyway. It works like this:
      1. I write code to do my normal FB app, as if it's logged in.
      2. Someone accesses my canvas page from outside of Facebook.
      3. Any reference to personal data on the page is scrubbed out, except for a) first name and b) profile picture*
      *Available only if the user hasn't disabled public searchability of themselves

      As a dev, I can't get any extra data outside of the "garden" of being logged in (see ** below). It's entirely done on FB's side, I don't (and can't) change anything on my end to make private data more available to non-logged-in instances.
      I'm pretty sure there is a lot more info out there for a lot of us that first name and a picture. And if you're interested in privacy, you've already got the picture disabled, because otherwise it could show up with a google search.
      So I call FUD. For anyone who is remotely concerned with privacy, the data miners get...your first name. Whoop-de-do. And if you're not concerned? They get a picture. Definitely going to be able to steal your credit card info now! I can run your first name through my picture-to-last-name-database and find you!!!!
      Sure, Facebook has made some missteps, but they've done a good job of responding when there is an upswell of legitimate protest.
      This protest is illegitimate and misinformed, and this feature provides little to no privacy risk.

      To summarize: The nasty hax0rs get your first name and, if you don't care about privacy, your picture. And no, there is no way that a dev can give you that information.**
      **Okay, they could cache the information from logged in sessions in their db and then present it to you, but that would be a) against the TOS and b) stupid, since only cached data would be available, and if you *really* wanted it, you could just create a FB account. You can argue obscure ways that they could present the data, but in the end, there are a lot easier ways, and this provides no additional security breach.
      --
      You all have Oo.o and Firefox, so get World Wind.
  6. Re:hamper? by mustpax · · Score: 2, Informative

    Yeah both "AOL, Cordance, JanRain, Microsoft, NetMesh, Six Apart, Sxip, Sun Microsystems, Symantec, Verisign, Yahoo! [and] Google." http://radar.oreilly.com/archives/2007/12/openid_20_final.html Not to mention plugins already available for open source publishing tools such as WordPress.

  7. They would, but... by Anonymous Coward · · Score: 2, Funny

    They made the mistake of organizing the protest ON Facebook. Oops.

    Now if you'll excuse me, I hear that you can make big money fast by installing this Facebook app called SendMyPersonalInfoToMotherRussia. I wonder what it does?

  8. how many of you... by mathfeel · · Score: 5, Insightful

    like me, started using facebook because it's a walled-garden with well segregated networks? I mean, I don't want to pervert457 or randomperson223 to be able to view my profile, or try to flood my inbox (or wall, I suppose). Maybe I am mis-informed, but that's how I perceive MySpace from a lot of media reports including here on /.. Now-a-day, facebook seems to become exceeding bloated with random apps. I just want to check what's up with my friend and his profile takes eons to load (partly his fault of course). I also start to notice that my "notification" are filled with (non-deleteable) items for ads (just saw a Blockbuster one).

    Oh yeah, and this is hilarious...youtube video

    --
    The only possible interpretation of any research whatever in the 'social sciences' is: some do, some don't
    1. Re:how many of you... by maxume · · Score: 3, Insightful

      I didn't start using either of them(mostly because I'm too old to have started during school and haven't had other reason). It's getting to be pretty clear that published means just that, regardless of any promises that are made. This is an irritating lesson to learn, but it provides an easy to use guideline.

      --
      Nerd rage is the funniest rage.
  9. Re:plaintext? by pat+mcguire · · Score: 5, Informative

    instead of http://facebook/ use https://facebook./ They don't advertise it, but there it is. It doesn't protect anything but your password, however. After sign in you're off of SSL.

  10. OpenID by pw201 · · Score: 2, Interesting

    What's to stop the OpenID people writing something which uses a Facebook app as an OpenID server? Best of both worlds, I'd've thought.

  11. What is everyone talking about??? by DeionXxX · · Score: 3, Insightful

    This announcement is for APPLICATIONS. No one is going to see YOUR PROFILE! This allows people without facebook login's to see APPLICATIONS, not read your profile. If they want to use those APPLICATIONS, they will have to sign up. Even if they had a facebook profile, they still couldn't see your profile.

    Ohh and another thing. Potential employers can't see your profile unless they submit a "friend request" and you accept them. So there's no issue with anyone searching google and finding your profile.

    1. Re:What is everyone talking about??? by extra88 · · Score: 2, Interesting

      This allows people without facebook login's to see APPLICATIONS, not read your profile. But the first line of every add application agreement is:

      Allow this application to...
       
          Know who I am and access my information
      Does this not mean the application can read my profile and if it can, could a malicious or careless app developer expose my profile information to the world?

      Potential employers can't see your profile unless they submit a "friend request" and you accept them. Or unless you and someone at the company are members of the same network and you didn't change the default privacy settings for that network. Suddenly having an alum from your alma mater working in the HR dept. is maybe not so helpful.

      Or maybe no one at the company is in your network but they pay an "information broker" who has a corral of stringers on the payroll who are members of many, many networks to view your profile.

  12. Re:Facebook... by quintessentialk · · Score: 2, Insightful

    On the other hand, the sort of personal disclosure we see on facebook may grow into a cultural, society-wide phenomenon. Presumably most people are concerned about information disclosure because of consequences of that disclosure. If there are few consequences, how many people will care? Sure, the HR director who hired me probably looked for my facebook page. But I came across his facebook page entirely by accident, and his is way more revealing of his personal life than mine is. Once the college students of today rise to power, I think personal internet disclosure will be more socially acceptable.

  13. Re:Is Facebook the new AOL? by ncryptd · · Score: 2, Funny

    Nah, MySpace could never be the new Usenet. They've had idiots on MySpace from the start. Usenet actually used to be good...



    Damn I feel old.

  14. OpenID doesn't need facebook to fail by coryking · · Score: 3, Insightful

    OpenID is an overly complex protocol that requires a bazillion interdependencies to work right. Worse, it doesn't actually solve the pain. It doesn't solve the trust problem! People want an authentication protocol that has trust. Random URL's are not trust!

    Yeah, I hear you saying "Cory, OpenID isn't about trust". Well than whoopty fucking doo, go away and stop wasting my time. If I cannot have trust, what the hell is the point of OpenID?

    And seriously? URL's as your unique login? What the fucking hell is that all about? 1) URLs are ugly. 2) Mom & Dad dont understand them 3) URLS!?!?

    And a bonus seriously. Having the whole mess ride on top of HTTP as a friggen space age XML-RPC-SOAP-REST thing? Pick something more mature? Why not at least try to sink it down into the HTTP protocol itself? Maybe even invent a new protocol. But layering it on top of an XML RPC protocol on top of HTTP on top of TCP/IP? Are you insane?

    How will this whole damn thing integrate into SMTP or IMAP - will postfix need to learn OpenID and open itself to all kinds of web base security risks? How will I use this to log into SecondLife or World of Warcraft? Do they now have to write a gog damn web stack to authenticate against OpenID? How can it integrate into LDAP or active directory?

    And NONE OF THIS IS EVEN SOMETHING YOU CAN TRUST! It is all worthless!!!

    OpenID does not need facebook for it to fail. OpenID will fail because it is complex, hard to explain, doesn't play with other protocols, difficult to implement, and it is misunderstood by managers, developers, sysadmins, and security experts.

  15. Re:plaintext? by deftcoder · · Score: 3, Informative

    <form method="post" name="loginform" action="https://login.facebook.com/login.php" ...
    You're POSTing to a secure page anyways... all that happens for me when I visit https://facebook.com/ is I get warned about an invalid SSL certificate and then redirected ("Location: http://facebook.com/" HTTP header) back to the non-https site.
    --
    Peace sells, but who's buying?
  16. a-holes by ImTheDarkcyde · · Score: 2, Insightful

    Im going to go ahead and be a troll here, so you might just want to skip this comment-

    Fuck anything that throws "open" in front of the name. Fuck openID. Do you want a goddamn pat on the back because you are "open?" On top of that people of slashdot are adamantly against Real ID, which is the same thing to my uneducated eyes, except for in the real world, but hey isn't giving your single password away nowadays the same thing as handing over your social security number, bank accounts, search history, et cetera?

  17. Re:facebook is a datamine by Ash-Fox · · Score: 3, Insightful

    I recently deactivated my account, and have read concerns from several sources that facebook has strong ties with DoD and CIA investors.
    A lot of thing are funded by the DoD and CIA. In the past, I am aware of OpenBSD, Linux kernel development (SELinux), various Windows technologies, DNS, Internet infrastructure and so on.

    I assume you aren't using any of those either since a lot of them have strong ties too.
    --
    Change is certain; progress is not obligatory.
  18. Re:Is Facebook the new AOL? by SnowZero · · Score: 3, Funny
    Me too!
    (don't forget to top post over a full quote)

    Me too.

    -kihjin