Facebook Apps – Is It Safe to Share Your Access Token?

facebook-apps

I came across this particular app which is spreading virally among many Malaysian Facebook users:

https://www.facebook.com/SpritzNetworks/app_190322544333196

The app is asking users to copy paste a so called Sony Xperia Mobile token into their app.
Apparently the supposed mobile token is actually the users’ Facebook access token created for that particular Sony Xperia app.

What are the repercussions of sharing the Facebook access token with the app this way?

Best Answer

You open yourself to access you most likely don't want to give. An access token is a way for a user to state that they are giving limited access for an application to see data.

Copy pasting the access_token means that you bypass the OAuth flow that prevents any hijacks of your account.

The access_token is in plain sight because the redirect_uri is set to http://facebook.com which doesn't handle the response.

As the User access token is passed to your redirect_uri in the URL fragment, it therefore must be retrieved using some type of Javascript - this depends on the Javascript framework you want to use, some examples include querystring.parse in Node.js or jQuery BBQ.

https://www.facebook.com/dialog/oauth?response_type=token&display=popup&client_id=104018109673165&redirect_uri=http://www.facebook.com/&response_type=token&perms=&scope=publish_stream,offline_access,user_photos,friends_photos,publish_actions,read_stream,email,user_status,user_activities,user_likes

Gives the intruder (https://www.facebook.com/SpritzNetworks) access to the following

  • publish_stream
  • offline_access
  • user_photos
  • friends_photos
  • publish_actions
  • read_stream
  • email
  • user_status
  • user_activities
  • user_likes

Many shady pages, use Xperia app as a way to coax users into giving their access token

Summary: Don't give out your access_token, you aren't even supposed to know it exists in the first place.