Is signed_request secure?

Question

I'm creating a Facebook app. Facebook displays the app view in iframe and gives it signed_request in a POST parameter.

If someone get other's signed_request string, he can post it to the app.

curl -F "signed_request=CCuTU8c2…NjMwOTMxIn0" https://app.mydomain.xx/

Signed_request is registant to tampering. On the other hand, the app accepts the data which isn't tempered.

Should Facebook apps check something for it? For example, the value of issued_at. I wonder how to handle signed_request. Facebook's PHP SDK sets it to cookie. It's OK?

Answer 1

This cannot be faked, if you check it properly. It is a JSON data object that has been encrypted with your application-secret. An attacker would not be able to encrypt with this key, cos you never let anyone know it, right? --if you have ever leaked your application-secret, your seriously boned in lots of other ways; a faked signed_request is the last of your worries.

You need to decrypt the data and parse the resultant JSON to ensure it matches the request you have received. If an attacker sends a signed-request that he has sniffed from a previous use, then he can't just send it with an arbitrary request, as it will only match the request from which it was stolen. But it is the responsibility of your code to perform this check. It is possible that this may be a feature of your Facebook API client library, depending on the library and configuration used.

Please see the signed request page at Facebook Developers

And for further reading on Facebook security, please see the excellent Developing Secure Facebook Apps document at OWASP.