Thursday, March 18, 2010

Phishing trap with facebook, and YES, workaround on how to get out of it!

We are getting some very encouraging response on Back Benchers' Facebook fan page, and as as a side effect of that, may be, I am thinking lot about facebook in terms of its strategic value, and potential. And its very clear to me that Facebook and Facebook Connect in particular will be a huge platform. And I'll write more about it later on how Facebook will eat Google's lunch with fb connect. But right now - I just discovered the big flaw in Facebook Connect. I think its very very susceptible to phishing attacks. And as a user its important to be aware of this trap.

Lets see what Facebook Connect is - it is a way for fb users to login into non 'facebook' website using your facebook's login credentials. This is awesome, since with fb connect you no longer need to create your account name and password for every single new service. So as a user, you can login into multiple sites with your fb account, and thus becomes seamless web experience. As a web developer, fb connect is a great way to attract users, and provide personalized services without getting them to sign up on your site. And since virtually everybody has an account with facebook this is great for everyone. So far so good. However the way this mechanism works is where the loop hole is.

When you click on the "f connect" icon like this:



A pop up appears where you are asked to input your Facebook account name and password. If you do, you can login to that site using Facebook account. Pop up looks like this:



Question is, how can you guarantee that pop up is from facebook and not from some phishing website? One can easily put together fbconnect icon and following username / password page. Once you enter your information, attacker will store that info, and even can process 'real' fb connect from here. This is serious issue, one way to make sure pop is actually from facebook is to look at url and it will be from facebook domain. But reality is - this can be faked too. As more and more sites implement fb connect, risk of phishing attempts would rise.

This is serious problem. All your social data and your half drunk party snaps are at risk!

Now as a wanna be good blogger - I am going to provide a solution - well an actionable solution for you.

1. Open a new tab, login to your facebook account. Go back to fb connect and login! : Two things are happening here. If you are are logged into facebook, facebook will store session cookie in your browsers memory. When you open fb connect window from other non facebook site, its back end code, if legal - will have access to these credentials, and will log you in into facebook without explicit login info. If this whole thing sounds too technical for you, just follow as I said earlier - Open a new tab in your browser, login to your facebook account. Go back to fb connect and login! Once you do that fb connect popup screen would look like this (Note email address and password fields are gone):



2. Be vigilant - and follow these general simple guidelines as a rule of thumb. Really, don't go to sites that you dont trust. Or at least don't provide the login info on such sites.

That's it - Happy Surfing!