Search Results

Search found 25408 results on 1017 pages for 'back'.

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

Page 106/1017 | < Previous Page | 102 103 104 105 106 107 108 109 110 111 112 113  | Next Page >

  • SINGLE SIGN ON SECURITY THREAT! FACEBOOK access_token broadcast in the open/clear

    - by MOKANA
    Subsequent to my posting there was a remark made that this was not really a question but I thought I did indeed postulate one. So that there is no ambiquity here is the question with a lead in: Since there is no data sent from Facebook during the Canvas Load process that is not at some point divulged, including the access_token, session and other data that could uniquely identify a user, does any one see any other way other than adding one more layer, i.e., a password, sent over the wire via HTTPS along with the access_toekn, that will insure unique untampered with security by the user? Using Wireshark I captured the local broadcast while loading my Canvas Application page. I was hugely surprised to see the access_token broadcast in the open, viewable for any one to see. This access_token is appended to any https call to the Facebook OpenGraph API. Using facebook as a single click log on has now raised huge concerns for me. It is stored in a session object in memory and the cookie is cleared upon app termination and after reviewing the FB.Init calls I saw a lot of HTTPS calls so I assumed the access_token was always encrypted. But last night I saw in the status bar a call from what was simply an http call that included the App ID so I felt I should sniff the Application Canvas load sequence. Today I did sniff the broadcast and in the attached image you can see that there are http calls with the access_token being broadcast in the open and clear for anyone to gain access to. Am I missing something, is what I am seeing and my interpretation really correct. If any one can sniff and get the access_token they can theorically make calls to the Graph API via https, even though the call back would still need to be the site established in Facebook's application set up. But what is truly a security threat is anyone using the access_token for access to their own site. I do not see the value of a single sign on via Facebook if the only thing that was established as secure was the access_token - becuase for what I can see it clearly is not secure. Access tokens that never have an expire date do not change. Access_tokens are different for every user, to access to another site could be held tight to just a single user, but compromising even a single user's data is unacceptable. http://www.creatingstory.com/images/InTheOpen.png Went back and did more research on this: FINDINGS: Went back an re ran the canvas application to verify that it was not any of my code that was not broadcasting. In this call: HTTP GET /connect.php/en_US/js/CacheData HTTP/1.1 The USER ID is clearly visible in the cookie. So USER_ID's are fully visible, but they are already. Anyone can go to pretty much any ones page and hover over the image and see the USER ID. So no big threat. APP_ID are also easily obtainable - but . . . http://www.creatingstory.com/images/InTheOpen2.png The above file clearly shows the FULL ACCESS TOKEN clearly in the OPEN via a Facebook initiated call. Am I wrong. TELL ME I AM WRONG because I want to be wrong about this. I have since reset my app secret so I am showing the real sniff of the Canvas Page being loaded. Additional data 02/20/2011: @ifaour - I appreciate the time you took to compile your response. I am pretty familiar with the OAuth process and have a pretty solid understanding of the signed_request unpacking and utilization of the access_token. I perform a substantial amount of my processing on the server and my Facebook server side flows are all complete and function without any flaw that I know of. The application secret is secure and never passed to the front end application and is also changed regularly. I am being as fanatical about security as I can be, knowing there is so much I don’t know that could come back and bite me. Two huge access_token issues: The issues concern the possible utilization of the access_token from the USER AGENT (browser). During the FB.INIT() process of the Facebook JavaScript SDK, a cookie is created as well as an object in memory called a session object. This object, along with the cookie contain the access_token, session, a secret, and uid and status of the connection. The session object is structured such that is supports both the new OAuth and the legacy flows. With OAuth, the access_token and status are pretty much al that is used in the session object. The first issue is that the access_token is used to make HTTPS calls to the GRAPH API. If you had the access_token, you could do this from any browser: https://graph.facebook.com/220439?access_token=... and it will return a ton of information about the user. So any one with the access token can gain access to a Facebook account. You can also make additional calls to any info the user has granted access to the application tied to the access_token. At first I thought that a call into the GRAPH had to have a Callback to the URL established in the App Setup, but I tested it as mentioned below and it will return info back right into the browser. Adding that callback feature would be a good idea I think, tightens things up a bit. The second issue is utilization of some unique private secured data that identifies the user to the third party data base, i.e., like in my case, I would use a single sign on to populate user information into my database using this unique secured data item (i.e., access_token which contains the APP ID, the USER ID, and a hashed with secret sequence). None of this is a problem on the server side. You get a signed_request, you unpack it with secret, make HTTPS calls, get HTTPS responses back. When a user has information entered via the USER AGENT(browser) that must be stored via a POST, this unique secured data element would be sent via HTTPS such that they are validated prior to data base insertion. However, If there is NO secured piece of unique data that is supplied via the single sign on process, then there is no way to guarantee unauthorized access. The access_token is the one piece of data that is utilized by Facebook to make the HTTPS calls into the GRAPH API. it is considered unique in regards to BOTH the USER and the APPLICATION and is initially secure via the signed_request packaging. If however, it is subsequently transmitted in the clear and if I can sniff the wire and obtain the access_token, then I can pretend to be the application and gain the information they have authorized the application to see. I tried the above example from a Safari and IE browser and it returned all of my information to me in the browser. In conclusion, the access_token is part of the signed_request and that is how the application initially obtains it. After OAuth authentication and authorization, i.e., the USER has logged into Facebook and then runs your app, the access_token is stored as mentioned above and I have sniffed it such that I see it stored in a Cookie that is transmitted over the wire, resulting in there being NO UNIQUE SECURED IDENTIFIABLE piece of information that can be used to support interaction with the database, or in other words, unless there were one more piece of secure data sent along with the access_token to my database, i.e., a password, I would not be able to discern if it is a legitimate call. Luckily I utilized secure AJAX via POST and the call has to come from the same domain, but I am sure there is a way to hijack that. I am totally open to any ideas on this topic on how to uniquely identify my USERS other than adding another layer (password) via this single sign on process or if someone would just share with me that I read and analyzed my data incorrectly and that the access_token is always secure over the wire. Mahalo nui loa in advance.

    Read the article

  • Android device guidelines/requirements

    - by Ravi Vyas
    Are there any requirements/guidelines for an Android device? like numbers of buttons or minimum buttons required. Also are there any android devices which do not have the menu and back buttons? ( I am aware that no menu/back buttons will kill most of the apps in terms of usability , I just wanted to know more on the topic :-) )

    Read the article

  • Is there any pros to duplicate browser/keyboard functionality?

    - by metal-gear-solid
    Is it good for user experience to duplicate browser/keyboard functionality? For example: to provide these links on a web-page. "Back to top" link "Print this page" link "Add to Favorite" link "Back" button/link "Text zoom" button Are they really create Site's usability and accessibility? How screen reader will behave these links, will these confuse to screen reader users?

    Read the article

  • synchronously load html content in UIWebView

    - by mbg1987
    im using a UIWebView to show html content in my app, the app contains two arrows to navigate between topics just like a RSS reader app, but when the user hits up or down arrow, the next topic doesn't show up until the data come back and the user still able to interact with the UI which is a bit confusing, My question: how to block the UI when user moves to the next/back topic ? in other words how to make loadHTMLString:baseURL: works as a synchronous calling ? thanks !

    Read the article

  • Long numbers. Division.

    - by user577395
    Hello, world! I have a problem. Today I tried to create a code, which finds Catalan number. But in my program can be long numbers. I found numerator and denominator. But i can't div long numbers! Also, only standard libraries was must use in this program. Help me please. This is my code #include <vector> #include <iostream> using namespace std; int main(int argc, char *argv[]) { const int base = 1000*1000*1000; vector <int> a, b; int n, carry = 0; cin>>n; a.push_back(n); for (int ii=n+2; ii!=(2*n)+1;++ii) { carry = 0; for (size_t i=0; i<a.size() || carry; ++i) { if (i == a.size()) a.push_back (0); long long cur = carry + a[i] * 1ll * ii; a[i] = int (cur % base); carry = int (cur / base); } } while (a.size() > 1 && a.back() == 0) a.pop_back(); b.push_back(n); for (int ii=1; ii!=n+1;++ii) { carry = 0; for (size_t i=0; i<b.size() || carry; ++i) { if (i == b.size()) b.push_back (0); long long cur = carry + b[i] * 1ll * ii; b[i] = int (cur % base); carry = int (cur / base); } } while (b.size() > 1 && b.back() == 0) b.pop_back(); cout<<(a.empty() ? 0 : a.back()); for (int i=(int)a.size()-2; i>=0; --i) cout<<(a[i]); cout<<" "; cout<<(b.empty() ? 0 : b.back()); for (int i=(int)b.size()-2; i>=0; --i) cout<<(b[i]); //system("PAUSE"); cout<<endl; return 0; } P.S. Sorry for my bad english =)

    Read the article

  • jquery animation problem using stop

    - by Flanders
    Hi! When running a Jquery animation like slideDown(), it looks like a number of element-specific css properties is set to be updated at a specific interval and when the animation is complete these properties are unset and the display property is simply set to auto or whatever. At least in firebug you can't see those temporary properties any more. The problem I've encountered is the scenario where we stop the slide down with stop(). The element is then left with the current temporary css values. Which is fine because it has to, but let us say that I stoped the slidedown because I have decided to slide it back up again a bit prematurely. It would look something like this: $(this).slideDown(2000) //The below events is not in queue but will rather start execute almost simultaneously as the above line. (dont remember the exact syntax) $(this).delay(1000).stop().slideUp(2000) The above code might not make much sense, but the point is: After 1 second of sliding down the animation is stopped and it starts to slide back up. Works like a charm. BUT!!! And here is the problem. Once it it has slid back up the elements css properties are reset to the exact values it had 1000ms into the slideDown() animation (when stop() was called). If we now try to run the following: $(this).slideDown(2000) It will slide down to the very point the prior slideDown was aborted and not further at half the speed (since it uses the same time for approximately half the height). This is because the css properties were saved as I see it. But it is not especially wished for. Of course I want it to slide all the way down this time. Due to UI interaction that is hard to predict everything might soon break. The longer animations we use increases the risk of something like this happening. Is this to be considered a bug, or am I doing something wrong? Or maybe it's just a feature that is not supported? I guess I can use a callback function to reset the css properties, but depending on the animation used, different css properties are used to render it, and covering your back would result in quite a not-so-fancy solution.

    Read the article

  • Nicer way to deploy a minified Chrome extension

    - by UVL
    When deploying an extension I follow various steps : copy to a temporary folder all the files, copy/paste back and forth the code to the on-line minifiers / obfuscators and create the zip to be uploaded. It's obvious that this could be simplified with scripting, but my experience on Windows scripting is very limited (most of my experience is server-side). Do I have to look back to the DOS .bat files like in the 90's or is there some cool tool or method I'm not aware?

    Read the article

  • What are you supposed to do with old SVN branches?

    - by John
    We had a SVN branch recently that had been merged back to trunk, and some more work on that feature/functional area was needed. I suggested using the same branch but was told you shouldn't re-use a branch once it has been integrated into trunk (a reference in SVN docs was given, I can't find it now). That suggests a branch is fairly useless once you merge back to trunk, so my question is once a branch is no longer needed, should it simply be deleted or kept?

    Read the article

  • How to get password html helper to render password on failed validation

    - by Max Schmeling
    I have a form for creating a new account and it has a password field in it. I'm using view models to pass data to the controller action and back to the form view. When the user enters their details in, and clicks submit, if validation fails and it returns them to the same view passing back in the view model, it won't default the password to what they entered. How can I get it to do this? Or should I even try?

    Read the article

  • How do you prevent a Hudson slave from archiving artifacts?

    - by Wilfred Springer
    It turns out our slaves spend a considerable amount of time moving the archived artifacts back to the master Hudson node. It at least triples the duration of the build. It would be nice if there would be a way to prevent it. However, setting the maximum number of builds to keep doesn't have an influence at all. Is there another way to prevent sending the results back to the central Hudson master?

    Read the article

  • Unity JS - simple if statements not behaving as expected?

    - by IHazABone
    I have a simple script (please no remarks on the fact that I'm not using a switch statement or better code, this is the earliest version and written this way by a peer, I am improving it) that takes an object and moves it back and forth. For some reason, the variable time gets stuck at 249. It is probably an obvious bug with this inefficient logic, but I cannot seem to find it. var speed = 1; private var time = 0; function Start() { } function Update() { if(condition == true)moveStuff(); } function moveStuff() { var timeSwitch = false; if(time == 0)timeSwitch = false; if(time == timeSet)timeSwitch = true; if(direction == 1) { if(timeSwitch == false) { transform.Translate(Vector3.up * (Time.deltaTime * speed)); time += 1; Debug.Log(time); }else if(timeSwitch == true) { transform.Translate(Vector3.up * ((Time.deltaTime * speed) * -1)); time -= 1; Debug.Log(time); } } else if(direction == 2) { if(timeSwitch == false) { transform.Translate(Vector3.down * (Time.deltaTime * speed)); time += 1; Debug.Log("Moved down. "); }else if(timeSwitch == true){ transform.Translate(Vector3.down * ((Time.deltaTime * speed) * -1)); time -= 1; } } else if(direction == 3) { if(timeSwitch == false) { transform.Translate(Vector3.forward * (Time.deltaTime * speed)); time += 1; Debug.Log("Moved forward. "); }else if(timeSwitch == true){ transform.Translate(Vector3.forward * ((Time.deltaTime * speed) * -1)); time -= 1; } } else if(direction == 4) { if(timeSwitch == false) { transform.Translate(Vector3.back * (Time.deltaTime * speed)); time += 1; Debug.Log("Moved back. "); }else if(timeSwitch == true){ transform.Translate(Vector3.back * ((Time.deltaTime * speed) * -1)); time -= 1; } } else if(direction == 5) { if(timeSwitch == false) { transform.Translate(Vector3.right * (Time.deltaTime * speed)); time += 1; Debug.Log("Moved right. "); }else if(timeSwitch == true){ transform.Translate(Vector3.right * ((Time.deltaTime * speed) * -1)); time -= 1; } } else if(direction == 6) { if(timeSwitch == false) { transform.Translate(Vector3.left * (Time.deltaTime * speed)); time += 1; Debug.Log("Moved left. "); }else if(timeSwitch == true){ transform.Translate(Vector3.left * ((Time.deltaTime * speed) * -1)); time -= 1; } } }

    Read the article

  • ASP page get current focused control

    - by Breander
    So what I have is a bunch of dynamically created textboxs that when the user enters some data and either tabs out or clicks out some calculations are done. After the page posts back control focus is lost. What I need is to be able to set focus back to the control that was tabbed to or clicked into not the control that data was entered into.

    Read the article

  • Save PHP variables to a text file

    - by Ajith
    I was wondering how to save PHP variables to a txt file and then retrieve them again. Example: There is an input box, after submitted the stuff that was written in the input box will be saved to a text file. Later on the results need to be brought back as a variable. So lets say the variable is $text I need that to be saved to a text file and be able to retrieve it back again. Hope it makes sense, Thanks in advance!!!

    Read the article

  • How does SO's form remember previous input values?

    - by user198729
    I've noticed that the Title or Body part is remembered if I come back to the Ask Question page by pressing Back button of my browser. This feature is available in all browsers I tested, but doesn't exist for the forms in my own projects. How can I approach that effect? UPDATE I still don't have any clue yet,but guess it that some kind of client cache enabled by http headers or javascript?

    Read the article

  • How to convert 3GP video for Android to view?

    - by RedNax
    Hi, I'm creating 3GP videos with the Android - however, when the 3GP files are posted on a site, the same Android phone cannot view it back. (The file works on the iPhone). What is right way to encode/resize the 3GP video so that the video player on Android can play it back? Thanks

    Read the article

  • Prevent monitor from powering on

    - by concretemixer
    I'm turning off the monitor using SendMessage(HWND_BROUADCART, WM_SYSCOMMAND, SC_MONITORRPOWER, 2). That works, but the monitor turns back on when someone touches the keyboard or mouse. I tried to get rid of this using the DevicePowerSetDeviceState function with DEVICEPOWER_CLEAR_WAKEENABLED for the keyboard and mouse: it returns no error, but has no effect either. How can I prevent the monitor from powering back on in Vista and Windows7?

    Read the article

facebook twitter digg google delicious technorati stumbleupon myspace wordpress linkedin gmail igoogle windows live tumblr viadeo yahoo buzz yahoo mail yahoo bookmarks favorites email print

< Previous Page | 102 103 104 105 106 107 108 109 110 111 112 113  | Next Page >