tags:

views:

117

answers:

1
Q: 

How did CNN get my Facebook login information?

I browsed to CNN and was horrified to see my Facebook picture there with a "post a comment" box. How did CNN get my Facebook login information?

More specifically, how did CNN know I was logged into Facebook? It seems like CNN would have to have access to a cookie set by Facebook to do that.

This is the only sequence I can think of.

I browse to Facebook and log in.
I check the "Keep me logged in" box.
Facebook places an authorization cookie on my machine.
I browse to CNN.
CNN reads my Facebook cookie and sends the authorization code to a Facebook API.
The Facebook API verifies my login information and displays the comment box.

Is this what is happening? Or is there some other voodoo going on?

I've seen cross-site stuff like this with advertising, but that just displays information. I just assumed sites like LinkedIn sold my information to advertisers. Automatically logging me into a third-party site seems totally different.

+3  A: 

It's an iframe. The iframe has access to your facebook cookies, but the containing site does not.

Yuliy  2010-07-17 19:43:27
This is it -- CNN doesn't have the information. This video tries to explain it at a non technical level: http://www.facebook.com/video/video.php?v=10150210521510484
daaku  2010-07-19 20:19:43
Thank you for the link daaku. Man, Facebook is such a nightmare.
Jason  2010-07-21 20:34:30

related questions

Storing xml data in a cookie
Best way to secure an AJAX app
Is it possible to delete subdomain cookies?
What are the possible causes of a CGI::Session::CookieStore::TamperedWithCookie exception in rails
How do I access cookies within Flash?
Cookies and subdomains
Accessing Domain Cookies within an iFrame on Internet Explorer
Web Dev - Where to store state of a shopping-cart-like object?
Can JQuery read/write cookies to a browser?
Can you reliably set or delete a cookie during the server side processing of an Ajax (XHR) call?
How can I add cookies to Seaside responses without redirecting?
passing or reading .net cookie in php page
Best way for allowing subdomain session cookies using Tomcat
Why can't I delete this cookie?!
Apache Download: Make sure that page was viewed before download
Secure session cookies in ASP.NET over HTTPS
Always including the user in the django template context
How do you set up use HttpOnly cookies in PHP
How exactly do you configure httpOnlyCookies in ASP.NET?
How do you configure HttpOnly cookies in tomcat / java webapps?
How do HttpOnly cookies work with AJAX requests?
What is the best way to prevent session hijacking?
Associating source and search keywords with account creation
How would you implement FORM based authentication without a backing database?
How do I stop IIS7 dropping my cookies?