Over the last month there has been a minor if interesting discussion about the use of Facebook Connect and the idea that it does not delete cookies when you log out. If you set your Facebook connect login to never log you out, OAuth and the Facebook implementation will keep your user data cookies in place and you will remain logged in to Facebook so that OAuth will work. Some users will never log out so that they can use Facebook connect to share interesting things they find on the internet with their friends on Facebook.

The use of persistent tracking cookies for marketing is well known in information security circles. They form the bed rock of understanding how people traverse from web site to web site consuming information. This helps marketing systems learn about your behavior so that they can target better ads to you in the hopes that you will find something interesting enough to click on and purchase. There is a lot of controversy about tracking cookies for marketing purposes, enough so much that all the major browsers now feature a do not track option as part of the user experience.

OAuth though uses similar if not same processes to keep track of where you log in, even if you log out of a particular system in the Eco structure, you will remain logged into other sections. Only the login is universal in OAuth, the logout is section by section with some implementations, and it looks like Facebook uses the login once, but logout piece by piece. This is a perfectly legitimate part of OAuth and how Facebook has implemented it for the eco system that they use for games, web sites, and other systems using Facebook Connect.

Facebook is not the only company to use OAuth as a way to log a user in across multiple systems; Google will also do the same thing so that there is seamless interaction between various services and various social media plugins for sharing interesting things that you come across. As OAuth becomes more popular, cookies that keep a user logged in will be kept in your browser with extended expiration dates. This may or may not cause problems down the road depending on how tokenization is processed. It is possible to do cross site scripting forgeries if you get the tokens from someone’s cookies or intercept those tokens in transit. It is always wise to have a three way token validation scheme in any software you write to ensure that data is not manipulated in transit or at rest in the cookie cache.

OAuth 2.0 is the commonly used standard for logging into systems that also have an ecosystem behind it. Google will log you into multiple Google products when you log in for the first time so that your identity can be seamless across that ecosystem. Sometimes cookies will be written to your hard drive for services that do not exist, in the case of Gwallet outside of mobile systems. This is one of the drawbacks to logging in once and having access to multiple services provided by a company.

Facebook is no different, with various types of cookies that will expire at the end of session, when you close the browser, but connection cookies with your unique Facebook ID that will expire years later. All of this is to ensure that there is a seamless experience across the Facebook system and its ecosystem of games, sharing, and sites using Facebook connect.

Even when logged out of Facebook, Facebook Connect and OAuth is still going to be stored in your computer because of the way that OAuth works across multiple sites to ensure that your experience is not interfered with by having to log into multiple systems. Much like any other Single Sign On (SSO) system, there will be tracks and traces that are left behind in the cookie cache in your browser as a way to ensure that your experience is not degraded by having to log into each section of the ecosystem individually.

If you log out of Facebook there will still be cookies behind, these include your unique Facebook UID, your secure token that is part of the login process for the ecosystem, and other chunks of data with various expiration dates. To see how this handshakes without having to have a lot of debugging tools, you can use the developer options in Firefox. Log out of Facebook, and set your screen for developer options.

Then log into the system and you can see how the authentication is processed across the entire Facebook ecosystem. You will see logins for the Akamai backend systems, Facebook itself, and other systems that you will be dragging data from all tied to your unique ID that is part of your cookie and part of the OAuth process.

Facebook (indeed most) OAuth 2.0 requires three steps to make sure that the person is fully authenticated and is the person they say they are regardless of the type of service you are providing. You need to do user authentication, application authorization and then application authentication. You can see this implemented regardless of the system that a person is using. These are basic information security implementation steps, making sure the person is who they say they are, that the user knows what information is being given to the application, and that the data is actually user information for the person who logged in and not someone else.

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

It is possible for a programmer to determine how much data to gather, what a person gives away becomes a personal issue and can still follow OAuth Guidelines. Again, the user decides what to share depending on what the programmer decides they need out of the social graph of Facebook. Some games simply try to gather too much information about a person and their friends, but the user has to agree to what the game wants from the user. This is an intensely personal idea of what is too much, and some Facebook applications have been banned for gathering too much information, or selling that information outside the confines of Facebook. For example, the Words with Friends Game wants what I would consider too much data about me and what I am doing on Facebook. Since I believe this, I will not play the game online.

The game itself will set a cookie based on the permissions that I have allowed by agreeing to the games terms. That cookie can then be tracked and the data used for whatever intention the game developer or company wanted in the first place. Facebook is not alone in the aspects of tracking user behavior in games; most large game companies monitor how people play games on a near continuous basis. Sometimes though the OAuth can be set very wrong with bad calls that expose error data that malicious users would love to have like this.

What will make this all the more interesting is the idea of the Facebook Timeline, which relies heavily on the use of OAuth and Facebook Connect. Given how OAuth works, and how Facebook Connect works, it is a day to day compilation (some will say tracking) of what you do on the internet. Much like using Google, when you have interacted with a system there is going to be footprints left behind. All of this relies on Facebook connect and how it has been implemented by various websites.

Not all web sites are good and not all web sites you visit or interact with you are going to want to show up in your Facebook Timeline. Some adult sites and some hacker sites are now using Facebook Connect as a way to show up in your Facebook Timeline so that there is a record in Facebook that you went to a site that you might not want your Facebook friends to know about. This is where OAuth can become a problem for the average user. Because you never really truly log out of the entire eco-system at once, your Facebook or any other OAuth based token can be used on any web site that implements Facebook Connect or similar OAuth authentication process. This includes hacker sites, adult sites, or other sites you might visit that could embarrass you. As Mashable and Techwag stated in their articles, there are already sites that are using Facebook Connect that could reasonably be embarrassing to the user who visits them after they have logged into Facebook.

Even though this example is from College Humor, this could be embarrassing to someone who did not want the world to know that they were watching this kind of material. The reputational issues are going to be worth following in the future because we have already seen people fired for what they post online, and on Facebook. This is really more about controlling the public persona that a person has, and their efforts to maintain that image. Using Facebook Connect, indeed OAuth in general where there is an integration process between the user, the eco-system, and the Social Media service could lead to results in timelines or inadvertently shared that could cause a decrease in public stature.

What is going to be the most troublesome part of this for people is that some applications like Facebook time line will make this inadvertent or casual. You will go to a web site using Facebook connect, you will already be logged in once it has read the OAuth cookie on your computer. Just simply going there is going to make it part of the Facebook infrastructure for OAuth, and it will use the cookie that is on the computer. It could be any member of your family at the browser or if the developer was not paying attention would pull the OAuth cookie for all browser users and that data would show up in multiple timelines. Everything in that scenario resides on the developer and which OAuth tokens are pulled out of the cookie cache on the hard drive. Ideally malicious sites would pull all tokens to put into multiple timelines.

Currently I am not aware of plans for Facebook to ensure that some sites cannot use Facebook Connect to save on potential embarrassment. However, Facebook will allow you to edit your time line and remove stories, or otherwise restrict sharing of data within the Facebook eco-system of Facebook Connect. This is going to mean that users will have to learn to use Facebook privacy settings much better, or otherwise learn to mask behaviors that they do not want to show up in the public time line. This is going to be important in the future as OAuth and the ability to inadvertently share data becomes ubiquitous on the internet. There will always be things that people do online that they do not want to share, and it is not just adult material. Realistically health information and other information that might influence hiring or firing, items specifically related to your private information consumption habits that you do not want as public, or other information that can be divulged depending on how OAuth was implemented per site.

The best bet is to use a browser that you will never ever use to connect with Facebook. For example, when I am doing information security research I usually use Chrome, but use Firefox for just about everything else I do on the internet. For some they might want to use a virtual system for some activity, and their regular computer system for other activities. In the end it will always be the responsibility of the end user to guard their own privacy when systems use OAuth, and learn how to manage their own public images in an OAuth world. People will have to become much savvier about how these systems are used, what information they give away to other sites, and how much of that information is public or private. The implications to all this are going to be interesting, and it will be interesting to see how people manage their own public and private personas.