[TriLUG] Website drive-by shooting

Michael Peters michael00peters at gmail.com
Fri Apr 11 15:08:36 EDT 2014


> OK, please clarify.
>
> If "I" am a Facebook user, and I visit "website X," without identifying
> myself, what do they ask, and what does Facebook respond?

It depends on how Facebook's API works, but the general gist is that
if site A makes a request to site B (probably via a JSONP request if
you want to look up how that works) and any requests to site B from
your browser will send along the cookies for site B. Site A never sees
those cookies and can't modify them. But Facebook can create an API
that when requested by third party sites, if the person has a facebook
cookie, could send back information about you.

Now, I'm not saying this is what happened, but it's plausible. The
biggest problem is that I thought that FB required third party
sites/apps to get your approval via Facebook before they would send
your information to them. But maybe they've found a bug or loophole,
or maybe FB will give it to them if they pay enough. Not sure on that
stuff.

Also, before you get the impression that JSONP is somehow nefarious,
it's extremely useful for lots of different things and only exposes
data that the API provider explicitly decides to expose.


More information about the TriLUG mailing list