URGENT - toolkit is insecure!

Dec 6, 2007 at 4:41 PM
Edited Dec 6, 2007 at 4:43 PM
Searching the web i found this


Basically this person has been swapping fbsiguser to userid's of his choice on loads of different applications.

The result is he can spoof that user and take actions as that user.

The way to fix this is to check the sig that facebook send you.

The Php code below needs to be rewritten into c# and then added to the api.

I have a vauge idea how to do it. but am a bit confused.

I am hesitant to release any applicaitons unitll this is secure.

If you can fix this then grate, please post code, if not then please vote here : http://www.codeplex.com/FacebookToolkit/WorkItem/View.aspx?WorkItemId=9016

So a developer has a look.


PHP CODE ---------------


Dec 11, 2007 at 4:45 AM
Edited Dec 11, 2007 at 4:51 AM
This seems to work for me. I've just added a method to the FaceBookService class. Use at your own risk - I'm sure the Toolkit developers would come up with a better solution.

/// <summary>
/// Ensure the parameters from facebook match the fb_sig
/// </summary>
/// <remarks>
/// Based on these:
/// http://wiki.developers.facebook.com/index.php/User:24403391/Auth
/// /facebookphp4/facebook.php
/// </remarks>
/// <param name="request">request object</param>
public void ValidateSignature(HttpRequest request)
string expectedSig = request.Form[ "fb_sig" ].ToString();
IDictionary<string, string> parameters = new Dictionary<string, string>();
foreach (string s in request.Form)
string prefix = "fb_sig_";
if (s.StartsWith(prefix))
parameters.Add(s.Replace(prefix, String.Empty), request.Forms);

if (expectedSig != _facebookAPI.GenerateSignature(parameters))
throw new FacebookException("invalid signature");