Sunday, September 14, 2008

FBConnect - still insecure ?!?

Today I realized it's been over 2 weeks since I last wrote on the FBConnect stuff and thought of checking it out again to see if there have been any changes done to improve the security and any other things after their recent Facebook Developer Garage event (called Connect Edition).

Surprisingly the only change they have done is to change the login form into a popup instead of an IFRAME embedded in the site. Here is the screenshot of how it looks now:


But still no SSL ! I wonder why ? Even the form POST is on non-SSL - means your login credentials are in clear and you are vulnerable to MITM attacks (eavesdropping).



Mainly if you are using those free insecure wi-fi's, please make sure you don't login through FBConnect.

UPDATE 10/3/2008:
The FBConnect now switched over to SSL for their form POST. 
{form method="post" action="https://login.new.facebook.com/login.php?
popup=1&fbconnect=1&connect_display=popup"}


Posted by Praveen at 4:44 PM
Labels: , , ,

3 comments:

Richard Bradshaw said...

To be fair, the standard log in page doesn't use https either...

October 3, 2008 4:11 AM
Praveen said...

hmm even though their standard login page is displayed on "http", the login form POST w/ user credentials does use "https".

Here is a html code snippet from their login page:

{form method="POST" action="https://login.facebook.com/login.php" name="menubar_login" id="menubar_login"}

October 3, 2008 10:19 AM
Luke Shepard said...

I'm an engineer on the Facebook Connect team, and your post is incorrect. Login credentials are indeed posted over SSL.

As Praveen points out, the form itself isn't served https, but the form that receives the credentials is.

We are working on serving the actual form off of SSL as well, but for the time being the user's information is protected.

October 3, 2008 4:22 PM

Post a Comment

Subscribe to: Post Comments (Atom)