[funsec] Following Data Leak, Facebook Proposes Encryption for UIDs

Jeffrey Walton noloader at gmail.com
Fri Oct 22 03:04:48 CDT 2010


On Thu, Oct 21, 2010 at 8:39 PM, Robert Slade <rmslade at shaw.ca> wrote:
> "In response to a discovery earlier this week that some Facebook applications were inadvertently sharing user information to third parties, Facebook engineers are proposing that Facebook UIDs become encrypted."
>
> Oh, gee, some real genius must have thought of that!
>
> "Under the new proposal, the parameters that are passed back to iFrame-based applications will be encrypted using an application’s secret key, meaning that only the actual application will be able to read the information and accidental disclosures over HTTP headers will no longer be possible."
>
Hmmm... Like the oracle padding attacks? I'd like to hear more details
on the implementation.



More information about the funsec mailing list