facebook connect: What about phishing? (update: things are changing)

Update: Seem that most sites are now switching to popups instead of layers. So that’s a good thing. Thanks, facebook!

If you look at one of the facebook connect login pages you get to see something like this:

The facebook connect login layer

So it’s a layer and it’s opened by clicking the facebook connect button. Here you cannot see which URL you are sending your login info to because it’s not even a popup. It can be facebook (and in this case I trust TechCrunch that it is) but it can be the site itself then happily storing your facebook connection info.

So can you make it easier for phishing sites to rebuild this and ask for a user’s facebook password? Or am I missing something here?

Seems I am not the only one with such concerns as this blog post and these forum comments suggest. At least one person there is saying:

They keep saying they’re going to stop using the DHTML lightboxes for login; use a popup instead. In that case, it’s trivial for the user to look at the address bar and know he’s genuinely talking to facebook.

And theinsider.com seems to be using that popup (but I think back then when I tried it first it was a layer, too. But I might be wrong). facebook, please don’t make people getting used to such layers!

What does this mean to OpenID?

If people get used to such mechanisms for logging in to other sites this IMHO is also a problem for OpenID’s attempts to prevent phishing. After all this is one of the big problems of OpenID even in cases where you see the URL because simply people are not paying as much attention as they should. Now with a big player allowing people to use such layers is IMHO not a good service.

The of course give the option to login via facebook directly if you don’t happen to trust this site but that’s maybe something you or I are doing, not the average users though.

What they could be doing OTOH would be to educate the user and telling with every login that he should make sure the URL is correct. Maybe that would even be good with every ordinary website login.

Good practice for people using facebook connect

So here is what you should do:

For users: Always click the link which sends you to facebook!

For web sites: Send the user directly to facebook, do not use a layer!

Technorati Tags: , , ,

Teile diesen Beitrag

Share on facebook
Share on google
Share on twitter
Share on linkedin
Share on pinterest
Share on print
Share on email