Wednesday, August 29, 2012

How To Cheat On Facebook Apps Permissions

Facebook doesn't care about your privacy, but you should. Facebook implements OAuth2 - readers of my blog know how shitty OAuth2 is and how awesome OAuth2.a will be.

Apps actually cannot require permissions ('scope' param). They propose it, but you can choose them - update authorization URL.

Example - you are redirected to:

https://www.facebook.com/dialog/oauth?client_id=130409810307796&redirect_uri=http%3A%2F%2Fapps.facebook.com%2Ftetris_battle%2F%2F%3Fkt_track_apa%3D1%26reload%3D1%26reloadTime%3D1346239416%26localJS%3Dfalse&state=6997cb601838cb0fb65d53aecbebcd21&scope=publish_actions%2Cemail%2Cuser_location%2Cuser_birthday

Just change 'scope' param

https://www.facebook.com/dialog/oauth?client_id=130409810307796&redirect_uri=http%3A%2F%2Fapps.facebook.com%2Ftetris_battle%2F%2F%3Fkt_track_apa%3D1%26reload%3D1%26reloadTime%3D1346239416%26localJS%3Dfalse&state=6997cb601838cb0fb65d53aecbebcd21&scope=

And authorize the app. You permitted nothing special but app works - enjoy.

UPDATE:
The post  had nothing to do with security. I was annoyed with terrible fact "you can ask permissions, it will look legit and user cannot uncheck them in UI. Well if he's smart enough to change URL - you have to check permissions in your code" 

There are two ways to fix it (OAuth2.a deals with the issue this way):
1) when app has "frozen" scope. This is not param in URL anymore, just a field in the database. Developer doesn't need to make sure what is allowed anymore - he is sure.
2) when app has "agile" scope. Client 'proposes' scope and User can uncheck not desired permissions. App should check explicitly what was permitted.

34 comments:

  1. Cool ! We can also use just
    &perms=
    instead of
    &perms=email%2Cpublish_actions%2Cuser_likes%2Cfriends_likes
    in apps where perm is used

    ReplyDelete
    Replies
    1. yes, we can also use same technique for all oauth2 based websites. google, github etc

      Delete
  2. Except that you can see what scope you got back and disallow access if you didn't get the right information. This is a bug in Facebook apps, not in OAuth or Facebook. I know that I if I need email and my app doesn't receive it from Facebook, then I disallow access and force it to re-request auth.

    ReplyDelete
    Replies
    1. do you mean 'scope' returned back with 'code'? Just change that scope to a proper and app will think that it has got proper permissions..

      this may work for email, but do developers check 'friends', 'wall' and other permissions. Mostly no.. so trick works

      Delete
    2. You can get the permissions of the current user by calling the graph api with /me/permissions, and require them application side. That's what most competent developers would do. A lot of apps actually *require* those permissions for functionality's sake.

      Delete
    3. I've written dozens of FB apps and they will throw an error if people mess with the permissions. If they didn't need the permissions I wouldn't have asked for them. Don't want to give the permissions, no problem, just don't use the app. (Completely different story for permissions like publish, they should never be required for an app to function, but users can deny permissions like that in the FB interface).

      Delete
  3. Nice. This could very easily be used to write a plugin/script to customise the permissions request dialog so that users can deselect individual permissions.

    ReplyDelete
    Replies
    1. This comment has been removed by the author.

      Delete
  4. Silly, as the application can use

    https://graph.facebook.com/me/permissions

    and check the ACTUAL permissions that it was granted with your token.

    If a developer is stupid and doesn't check his permissions, don't blame Oauth2 or Facebook.

    ReplyDelete
    Replies
    1. please point out a section in FB documentation which teaches you that you should check permissions in your app.

      Delete
    2. I think its pretty clear: https://developers.facebook.com/docs/authentication/

      The first thing I did when I had to program the FB auth in our app, was to check the token's permissions after obtaining it. Call me a defensive programmer. If you are being hostile to your users and ask them access to all their private stuff just for playing a silly game, expect them to be hostile to you in return.

      Delete
    3. i dont argue with you that there is a work around
      i am telling it can be simpler. Scope should be returned at obtain-token endpoint with expire_at parameter for example.

      Delete
    4. https://developers.facebook.com/docs/reference/api/#auth

      Delete
  5. this is not a bug, FB could easily ask user in this style: App X is requesting email, friends, location. What do you want to share.

    App developer on the other hand could ban access to app if no email is given or go to enter/verify email scheme, so all ok.

    ReplyDelete
    Replies
    1. this is not a bug, FB could easily ask user in this style: App X is requesting email, friends, location. What do you want to share.

      but it doesn't

      facebook should either to make sure or let you choose

      Delete
  6. Additional note: apps sometimes request additional permissions, such as posting on your behalf or send private messages to your friends. You can revoke those permissions at any time by clicking the 'Edit' link next to the particular app on https://www.facebook.com/settings?tab=applications.

    ReplyDelete
  7. no need to modify url, just click close button on every permission
    that asked in request permission dialog

    ReplyDelete
  8. 1. It is against Facebook Policy to ask for permissions you don't need
    2. Removing the permissions in the scope above will make many applications non functional - Imagine you have an "Upload picture from Facebook" button. If an application needs to use a photo in your album it needs the "user_photos" permission. If you don't give it, likely what will happen is the button won't do much, or may it even return a 500 error.
    3. As mentioned there are easier ways to not grant permissions
    4. There are applications that have "basic" permissions and "extended" permissions (typically a separate auth dialog or page). Simply clicking 'close' on the second dialog or page will allow users to go to the application but without extra permissions. In these scenarios the developers of the application know what functionality to limit the user to.

    ReplyDelete
    Replies
    1. 500 may happen if app uses FB API when I make request. I think real apps make delayed jobs.

      now, i am confused as an app developer. If i sent scope as documentation stated I need to get it back. After reading this article I have no fuckin confidence and have to check perms manually. WTF? :) this is the point

      Delete
  9. Hey, Egor! Nice to see you back on exploits. Let's hope Facebook doesn't pull a GitHub on you :)

    ReplyDelete
  10. obviously if the apps depend of Facebook data it will break the app, otherwise it's fine

    ReplyDelete
    Replies
    1. For sure. Frankly the trick is most likely useful for "login with facebook" websites when no other api calls are needed

      Delete
  11. This is not a bug. Your app should be checking for the appropriate permissions and punting the user to auth again if they're truly required.

    ReplyDelete
    Replies
    1. my app not should, my app have too because no other options :(

      but, facebook could have my scope in database and if user presses allow grant them. without stupid URL customization. and my app would be 100% sure that it has needed perms..

      Delete
  12. Basic permissions still granted... if the app uses the other scopes, maybe it won't work.

    ReplyDelete
  13. Useless article, as much as the TC article it's quoting.

    ReplyDelete
  14. Does anyone else find that when they go to the modified URL (without scope/perms) at the permissions page they are redirected back to a URL with the full permissions?

    ReplyDelete
  15. obviously if the apps depend of Facebook data it will break the app, otherwise it's fine

    ReplyDelete
  16. It's again Facebook policies to ask for permission when you don't need them but do they really check on us and track this? Anyway thank you for the details given above, I am writing a new article about this subject no my website and it definitely helps.

    ReplyDelete
  17. Basic permissions still granted... if the app uses the other scopes, maybe it won't work.

    ReplyDelete