How bad is the app’s secret?

Question

How bad is the app’s secret?

After significant voodoo, I finally got the API working. Turns out you have to set Enhanced Auth Dialog to disabled or Facebook ignores your publish_actions permission. Just a head in case someone else is struggling.

However, I am fully working in the Javascript API. No server scripts.

The only way to post a rating is through the application access token. The only way to get one of them is to use the secret of the application, and this should be in javascript code for the whole world. How bad is that?

TBH I don’t care if someone substitutes the results of my games in a small pong style. Good for them, only they and their friends can see it. This is just plain fun. But what could go wrong if the secret of my application is published? Can someone capture the whole application? Or is it just bad practice and nothing can go wrong with a small mini-game?

All this is a pure javascript SDK, so it only works with user access tokens, so my first instinct is fine. But I thought I would ask ...!

+4

facebook-javascript-sdk

Ashleysbrain Oct 21 '11 at 13:27

source share

1 answer

Ralphleon · Accepted Answer · 2011-10-27T20:07:43+0000

What other permissions do you use? If you use publish_stream, I'm sure you could imagine the fraud that could happen! Even worse, if the user has both your public and private keys (what they will be), they can create a complete fake application that identifies itself as you!

The “domain” parameters in facebook should prevent this, but if there is a chance that an attacker could perform an XSS attack , they could potentially write malicious applications that disguise themselves as your game.

Have you considered something very simple with the Google engine for the sole purpose of dealing with token authentication?

How bad is the app’s secret?

More articles: