Security/Reviews/Gaia/FacebookIntegration: Difference between revisions
| Line 91: | Line 91: | ||
The code talks to the following Facebook APIs: | The code talks to the following Facebook APIs: | ||
* https:// | |||
* https://api.facebook.com/method/phonebook.lookup | * https://api.facebook.com/method/phonebook.lookup | ||
* https://graph.facebook.com/#/feed?method=POST | * https://graph.facebook.com/#/feed?method=POST | ||
| Line 96: | Line 97: | ||
* https://graph.facebook.com/$uid/picture | * https://graph.facebook.com/$uid/picture | ||
* https://www.facebook.com/logout.php | * https://www.facebook.com/logout.php | ||
There is a serious issue with the | |||
It also talks to the following OAuth helper: | It also talks to the following OAuth helper: | ||
Revision as of 21:02, 6 March 2013
App Review Details
- App: Facebook Integration
- Review Date: 6th March 2003
- Review Lead: Stefan Arentz
Overview
The Facebook integration code is primarily about integrating Facebook in the contacts application. It allows you to import Facebook contacts and after that also use Facebook features from the Contacts app.
Imported contacts from Facebook have lots of meta data in the Gaia contacts database: birthday, email addresses, phone numbers, addresses and profile picture.
When on a contact detail page in the contacts app, a Facebook contact will have three additional options:
- Send Private Message
- Post to Wall
- View Facebook Profile
We do not provide UI for those features. They are simply opening up a page at https://m.facebook.com instead.
The connection to Facebook can be triggered in three ways:
- In the FTU code there is a screen that asks if you want to connect to Facebook
- In the Contacts app settings screen you can flip a switch to enable Facebook
- The dialer app allows you to open the Contacts list, which allows you to get to the settings
(Mentioning the dialer here is relevant since all apps are really the same Communications app)
In this case, 'connecting to facebook' really means that we ask the user to login to facebook and then connect to the custom Facebook app hosted at the Heroku URL. That will give us an OAuth token which can be used for further API calls to Facebook.
Architecture
Components
The Facebook integration consists of a number of html pages for import contacts and an alarm handler to periodically sync in the background.
Relevant Source Code
The main source code is contained at:
- https://github.com/mozilla-b2g/gaia/tree/v1-train/apps/communications/facebook/
- https://github.com/mozilla-b2g/gaia/tree/v1-train/apps/communications/contacts/js/fb/
The following files have been looked at for this review:
- communications/contacts/js/fb/fb_contact.js
- communications/contacts/js/fb/fb_contact_utils.js
- communications/contacts/js/fb/fb_data.js
- communications/contacts/js/fb/fb_import.js
- communications/contacts/js/fb/fb_import_init.js
- communications/contacts/js/fb/fb_init.js
- communications/contacts/js/fb/fb_link.js
- communications/contacts/js/fb/fb_link_init.js
- communications/contacts/js/fb/fb_messaging.js
- communications/contacts/js/fb/fb_oauth.js
- communications/contacts/js/fb/fb_query.js
- communications/contacts/js/fb/fb_utils.js
- communications/contacts/js/fb/friends_list.js
- communications/facebook/js/console.js
- communications/facebook/js/curtain.js
- communications/facebook/js/fb_oauth_frame.js
- communications/facebook/js/fb_sync.js
- communications/facebook/js/fb_sync_init.js
- communications/facebook/js/sync_worker.js
- communications/ftu/js/fb_launcher.js
Permissions
Web Activity Handlers
Web Activity Usage
Notable Event Handlers
Facebook Permissions
The Facebook app for Contacts requires the following permissions:
- Your basic info
- Friend's profile info; descriptions, birthdays, hometowns, locations and work histories
Code Review Notes
1. XSS & HTML Injection attacks
2. Secure Communications
The code talks to the following Facebook APIs:
- https://
- https://api.facebook.com/method/phonebook.lookup
- https://graph.facebook.com/#/feed?method=POST
- https://m.facebook.com/chat/messages.php
- https://graph.facebook.com/$uid/picture
- https://www.facebook.com/logout.php
There is a serious issue with the
It also talks to the following OAuth helper:
- http://intense-tundra-4122.herokuapp.com/fbowd/oauth2/flow2.html
- http://intense-tundra-4122.herokuapp.com/fbowd/dialogs_end.html
- http://intense-tundra-4122.herokuapp.com/fbowd/logout.json
The above server is for development only. It is expected that OEMs of Gaia will host their own.
This also means that each OEM will have to register a Facebook application.
3. Secure data storage
4. Denial of Service
5. Use of Privileged APIs
6. Interfaces with other Apps/Content
7. Cross Origin Message Attacks
The following attack is described in more detail in bug