Security issue: Using Facebook for user authentication in Silverlight

Jun 4, 2010 at 9:45 AM

I would very much like to use the Facebook Developer Toolkit to authentication users at my service, allowing anyone to signup using their Facebook-accounts.

My app should work both in and out-of-browser and I already have a fully working prototype that works properly and I'm able to query the user profile and retrieve the friends list. The problem comes when I want to communicate back to my own server.

On the Silverlight-client, after authentication, I can access a unique identifier for the Facebook-account. This would probably be the best mechanism for a unique ID in my own service. My own service allows users to store various data in a database using WCF RIA Services.

Now the problem is this: Anyone can manipulate the data that is transported between the Silverlight client and the service. This means anyone could potentially manipulate the unique UserId and gain access to other peoples data. How should I go about an fix this or is this really a non issue and there is a way for the Facebook Developer Toolkit to parse the Facebook-cookies that was written during authentication, in a similar manner as I'm doing on the client in Silverlight?

Suggestions? Pointers? Any help is appreciated =)

Jun 13, 2010 at 12:20 PM

No answers so far, I'm hoping someone can give me some tips on how to secure a Silverlight app using Facebook auth and have the same mechanism on the serverside?

Jun 13, 2010 at 1:58 PM

The userId from Facebook is sent to Silverlight from the JavaScript. This appears to me to be open for attacks, where anyone could change the JavaScript variables and execute the Silverlight method with their own (someone else's) userId. How much can I trust in the userId I receive from the Facebook Developer Toolkit? Here is the method that is called from JS and the userId is read directly from the input.

        public void LoggedIn(string sessionKey, string secret, int expires, long userId)
            this.SessionKey = sessionKey;
            this.UserId = userId;