- Your friend connects to Facebook and checks "remember me".
- Facebook creates a cookie on the browser.
- Your friends goes to the bathroom.
- You steal your friend's cookies from his browser and its data.
- You go home and make these cookies with that data.
Assuming Facebook does not associate cookies + IP, you can gain access to the Facebook page. Edit: True, Facebook does not check for IP.
Now, let's take a look at Facebook Connect. This is the key.
- User "connects" by pushing the button.
- Facebook sets a cookie on the browser , which your application backend will read from to determine if the user is authenticated. Then, you associate this FB-cookie-id with the user in YOUR system.
If your system does not check for IP, then theoretically faking the cookie will allow you access into the application that used Facebook Connect. Which then you can gain access to the application,
Is it valid to say that you should check for IP when doing Facebook connect to add a level of security? But even if you do, some people have commented about IP Spoofing.
@everybody who says "Physical Access":
Yes, I agree that the concept of physical access makes this question trivial. However, this is a hole that the APPLICATION must be aware of. Sure, the Facebook profile/worthless application wouldn't matter much...but What if the application was a banking system? All I am saying is that if Citibank or Bank of America used "Facebook Connect" (which would be stupid, but let's assume), then this method would prove to be an easy way to access their account.
Therefore, Facebook Connect should NOT be used with anything "important". Right?