KCITP Member Kris Nessa discovers Facebook SSL setting loophole around apps
KCITP Member Kris Nessa alerted us to this issue, and posted it on Hacker News. Here’s a portion of the post, click the link below the quote below for all the info. Nice job, Kris!
Issue: After seeing the new Facebook Security setting to enable a secure session, I tried out the setting. The setting has a loophole (or a defect if you want to call it that). If you engage in any apps that run on Facebook, these apps may need to take you out to a non-secure session. When the new Facebook SSL security option is enabled, and you try to go to a non-secure session to engage in the app, Facebook will notify you with a message asking you if it’s ok to jump out to the non-secure session. If you choose to jump out, at this point Facebook is disabling your Account Security SSL setting. That’s right. So when you’re done playing Farmville (or whatever app you choose) and go to log into Facebook later, Facebook has disabled the SSL and you are back to non-secure Facebook browsing and interactions.
There are a few options out there to force security on your web browsers and you can get by this issue of Facebook disabling your setting and ensuring you’re always browsing the secure session of the application (and SSL of all websites).
