Facebook doesn't care about your privacy, but you should. Facebook implements OAuth2 - readers of my blog know how shitty OAuth2 is and how awesome OAuth2.a will be.
Apps actually cannot require permissions ('scope' param). They propose it, but you can choose them - update authorization URL.
Example - you are redirected to:
https://www.facebook.com/dialog/oauth?client_id=130409810307796&redirect_uri=http%3A%2F%2Fapps.facebook.com%2Ftetris_battle%2F%2F%3Fkt_track_apa%3D1%26reload%3D1%26reloadTime%3D1346239416%26localJS%3Dfalse&state=6997cb601838cb0fb65d53aecbebcd21&scope=publish_actions%2Cemail%2Cuser_location%2Cuser_birthday
Just change 'scope' param
https://www.facebook.com/dialog/oauth?client_id=130409810307796&redirect_uri=http%3A%2F%2Fapps.facebook.com%2Ftetris_battle%2F%2F%3Fkt_track_apa%3D1%26reload%3D1%26reloadTime%3D1346239416%26localJS%3Dfalse&state=6997cb601838cb0fb65d53aecbebcd21&scope=
And authorize the app. You permitted nothing special but app works - enjoy.
UPDATE:
The post had nothing to do with security. I was annoyed with terrible fact "you can ask permissions, it will look legit and user cannot uncheck them in UI. Well if he's smart enough to change URL - you have to check permissions in your code"
There are two ways to fix it (OAuth2.a deals with the issue this way):
1) when app has "frozen" scope. This is not param in URL anymore, just a field in the database. Developer doesn't need to make sure what is allowed anymore - he is sure.
2) when app has "agile" scope. Client 'proposes' scope and User can uncheck not desired permissions. App should check explicitly what was permitted.
Facebook bug worth USD 10000.
ReplyDeletedouble it pls
Delete\m/
ReplyDeleteCool ! We can also use just
ReplyDelete&perms=
instead of
&perms=email%2Cpublish_actions%2Cuser_likes%2Cfriends_likes
in apps where perm is used
yes, we can also use same technique for all oauth2 based websites. google, github etc
DeleteExcept that you can see what scope you got back and disallow access if you didn't get the right information. This is a bug in Facebook apps, not in OAuth or Facebook. I know that I if I need email and my app doesn't receive it from Facebook, then I disallow access and force it to re-request auth.
ReplyDeletedo you mean 'scope' returned back with 'code'? Just change that scope to a proper and app will think that it has got proper permissions..
Deletethis may work for email, but do developers check 'friends', 'wall' and other permissions. Mostly no.. so trick works
You can get the permissions of the current user by calling the graph api with /me/permissions, and require them application side. That's what most competent developers would do. A lot of apps actually *require* those permissions for functionality's sake.
DeleteI've written dozens of FB apps and they will throw an error if people mess with the permissions. If they didn't need the permissions I wouldn't have asked for them. Don't want to give the permissions, no problem, just don't use the app. (Completely different story for permissions like publish, they should never be required for an app to function, but users can deny permissions like that in the FB interface).
DeleteNice. This could very easily be used to write a plugin/script to customise the permissions request dialog so that users can deselect individual permissions.
ReplyDeleteThis comment has been removed by the author.
DeleteSilly, as the application can use
ReplyDeletehttps://graph.facebook.com/me/permissions
and check the ACTUAL permissions that it was granted with your token.
If a developer is stupid and doesn't check his permissions, don't blame Oauth2 or Facebook.
please point out a section in FB documentation which teaches you that you should check permissions in your app.
DeleteI think its pretty clear: https://developers.facebook.com/docs/authentication/
DeleteThe first thing I did when I had to program the FB auth in our app, was to check the token's permissions after obtaining it. Call me a defensive programmer. If you are being hostile to your users and ask them access to all their private stuff just for playing a silly game, expect them to be hostile to you in return.
i dont argue with you that there is a work around
Deletei am telling it can be simpler. Scope should be returned at obtain-token endpoint with expire_at parameter for example.
https://developers.facebook.com/docs/reference/api/#auth
Deletethis is not a bug, FB could easily ask user in this style: App X is requesting email, friends, location. What do you want to share.
ReplyDeleteApp developer on the other hand could ban access to app if no email is given or go to enter/verify email scheme, so all ok.
this is not a bug, FB could easily ask user in this style: App X is requesting email, friends, location. What do you want to share.
Deletebut it doesn't
facebook should either to make sure or let you choose
Additional note: apps sometimes request additional permissions, such as posting on your behalf or send private messages to your friends. You can revoke those permissions at any time by clicking the 'Edit' link next to the particular app on https://www.facebook.com/settings?tab=applications.
ReplyDeleteno need to modify url, just click close button on every permission
ReplyDeletethat asked in request permission dialog
1. It is against Facebook Policy to ask for permissions you don't need
ReplyDelete2. Removing the permissions in the scope above will make many applications non functional - Imagine you have an "Upload picture from Facebook" button. If an application needs to use a photo in your album it needs the "user_photos" permission. If you don't give it, likely what will happen is the button won't do much, or may it even return a 500 error.
3. As mentioned there are easier ways to not grant permissions
4. There are applications that have "basic" permissions and "extended" permissions (typically a separate auth dialog or page). Simply clicking 'close' on the second dialog or page will allow users to go to the application but without extra permissions. In these scenarios the developers of the application know what functionality to limit the user to.
500 may happen if app uses FB API when I make request. I think real apps make delayed jobs.
Deletenow, i am confused as an app developer. If i sent scope as documentation stated I need to get it back. After reading this article I have no fuckin confidence and have to check perms manually. WTF? :) this is the point
Hey, Egor! Nice to see you back on exploits. Let's hope Facebook doesn't pull a GitHub on you :)
ReplyDeletehey buddy :)
Deleteobviously if the apps depend of Facebook data it will break the app, otherwise it's fine
ReplyDeleteFor sure. Frankly the trick is most likely useful for "login with facebook" websites when no other api calls are needed
DeleteThis is not a bug. Your app should be checking for the appropriate permissions and punting the user to auth again if they're truly required.
ReplyDeletemy app not should, my app have too because no other options :(
Deletebut, facebook could have my scope in database and if user presses allow grant them. without stupid URL customization. and my app would be 100% sure that it has needed perms..
Basic permissions still granted... if the app uses the other scopes, maybe it won't work.
ReplyDeleteUseless article, as much as the TC article it's quoting.
ReplyDeleteDoes anyone else find that when they go to the modified URL (without scope/perms) at the permissions page they are redirected back to a URL with the full permissions?
ReplyDeleteobviously if the apps depend of Facebook data it will break the app, otherwise it's fine
ReplyDeleteIt's again Facebook policies to ask for permission when you don't need them but do they really check on us and track this? Anyway thank you for the details given above, I am writing a new article about this subject no my website and it definitely helps.
ReplyDeleteBasic permissions still granted... if the app uses the other scopes, maybe it won't work.
ReplyDelete