Hello, my knowledge of flash and other web technologies isn't that good, but I was wondering, how do sites with their own API for applications (e.g. Facebook) authenticate calls from an application? I'm not really familiar with Facebook API, but Vkontakte (similar site) uses a secret key, session id and method parameters to generate a query. Why isn't it possible for someone with malicious intent to work out those parameters while the application is in runtime and send a totally different query by, say, changing packets? I was kinda planning on writing an application for Vkontakte but I don't understand how the applications are protected. I would also be very grateful if someone could recommend me any literature concerning these questions.
+3
A:
The security lies in the fact that your shared secret should never be transmitted over the web. With Facebook, for example, you use your app secret to validate a cookie on your server. If you aren't doing any validation on the server then you are correct in that the access token or whatever is not secure. However, the thing to remember is that with these sites an access token is associated with a single user. So even if that person changes the cookie or whatever the access token still only has permission to access the single facebook account. So the person would be doing malicious stuff to their own account.
So for the case of flash or javascript, you always assume the access token and cookie data are not secure. Anything that is security critical you would have to do on the server only after you validate the cookie data to ensure the cookie is from a legitimate source. I assume that vkontakte functions in a very similar way.
Again, the biggest thing is to never transmit your secret key outside of your server.
Nathan Totten
2010-10-26 22:30:46