Sunday, 9 February 2014

Facebook bug prevents users from managing app privileges

Developers from MyPermissions have identified what they believe to be a bug in Facebook that can prevent users from revoking an application's access privileges.
This bug exhibits itself when a user attempts to revoke an app's privileges through the Facebook mobile app or mobile web interface after having previously granted the application access to their Facebook information.

As indicated within the announcement by MyPermissions, Facebook has been notified about the potential bug and are looking into it. It's not clear to me whether Facebook have yet accepted that this is a bug as there are many differing reports in relation to this, although having been able to reproduce the described behaviour I'm confident that what MyPermissions have found is real.
I'm surprised that this bug hasn't been noticed and/or reported earlier, since one of my installed apps (a very trustworthy, popular and legitimate app) exhibits this problem and is in no way operating maliciously.

It's relieving that the problem doesn't exhibit itself through the regular desktop interface, as this would suggest that there isn't an issue with Facebook's underlying access controls or the way that it evaluates an application's permissions. Users can rest assured that the desktop interface is a working solution for removing applications that should no longer have access to their information.

As a vendor of externalised authorization software, hearing stories such as this really highlights to me the importance of implementing secure and robust security solutions. Even in the case of a simple user interface issue, the ability for attacker to be able to exploit a bug to obtain irrevocable account access is quite alarming.

This is simply another good reason for ISV's to consider a standardised authorization service, rather than invent and implement a proprietary access control model on an application by application basis. Technologies such as XACML promote the separation of authorization away from being hard coded within an application towards being a policy driven authorization service. At ViewDS we provide Access Sentinel, which is an example of an XACML authorization solution that can be used by applications to govern their access control decisions.

No comments:

Post a Comment