0

Considering a simple example:

  1. Login to your fb account
  2. Post a status
  3. Click on the status dropdrown(top-right corner)
  4. Open developer tools in your browser and find the html for the "delete" option
  5. edit a parameter which looks like story_fbid=10202782137141336

Since the wall consists of several statuses and posts each with a different value for story_fbid, facebook should be using these values to update/delete respective posts.However, changing even a single digit of this value(story_fbid) to lets say story_fbid=10202782137141337 throws up a error as shown in the snapshot below.

FB error snapshot link

I am a beginner in php programming and was curious to know how the server side validation of data is done in php...

So, I was looking for a basic explanation of how this client side changed html is detected at the server end.

I came across a similar question here. According to one of the answers, one possible methods would be the server uses UUID associated with an ID of a particular post. If this UUID is manipulated at the client side, the server detects this and does not perform the requested operation(like DB record update/deletion) on that ID.But since a page can contain multiple such posts with different IDs, it could not be possible to have a UUID associated with each one of them.

So. what method does facebook use to detect such changes?

Community
  • 1
  • 1
frisco_1989
  • 75
  • 1
  • 8
  • If you just randomly change one character in a unique id, then it is most likely that there just is no post (or any other object) with that id … – CBroe Nov 25 '13 at 15:28
  • What if there is one single table that stores posts of multiple users belonging to a single geographic location? Changing one last digit of a post-id in that table might match another user's post-id. – frisco_1989 Nov 26 '13 at 14:31
  • It might, or it might not. So what? That has little relevance here. Facebook knows which user is logged in, so they can check if they have the rights to delete that specific item or not. – CBroe Nov 26 '13 at 15:16
  • Yes, that seems reasonable. But with multiple posts coming from a single page is it possible for a logged in user to corrupt his own entries if he messes with the html on client side? – frisco_1989 Nov 26 '13 at 17:54

1 Answers1

0

Disclaimer - I have absolutely no idea exactly what validations are made on Facebook's side - this is post consists solely of educated guesses and general web security concepts.

Any data submitted by a user should be treated as if it has been tampered.

I think this is a great motto to go by. The data you send to Facebook when liking/commenting/deleting a post is composed solely of data that was generated by the user submitting the request. Whether that data was generated by the JavaScript that is already on the Facebook page or by a cURL command or even manually compiled by a user makes no difference to the Facebook server responding to that request.

Since there is no way to validate the data before it arrives at a Facebook server, all data should be considered as "possibly manipulated/harmful". For this reason, it's safe to assume that every single request made to a Facebook server passes though multiple levels of validation:

  1. Is this request valid? Does the request pertain to the expected format? Valid endpoint? valid parameters? Valid arguments?
  2. Is there a valid user on the other end of the request? Are they using a valid access_token or similar parameter?
  3. Is that user allowed to make this request? Is the object owned by the user? Does the user have the required permissions to make this request?
  4. etc...
  5. etc...
  6. etc...
  7. Many more etc's...
  8. Probably even more validations...

If anyone of these (assumed) validations fails, an error message is returned to the user. In order to keep the exact validations secret Facebook probably elected to return generic errors to the users as to not let them know exactly which validations are performed.

If a user was to know exactly what validations were performed it might not be too hard to bypass them - hence, as you can see, the error you get mentions an array of possible problems:

  • "can not be displayed right now" - most generic explanation.
  • "temporarily unavailable" - huh? like a hard drive failed? power outage? Data center's internet is down?
  • "link... has expired" - possible manipulation of an access token?
  • "don't have permissions"

It would be impossible to know exactly what is happening on Facebook's side - and this is their intention.

In a similar manner, sites that give a login error similar to "user name or password invalid" don't give the user any indication as to which parameter is invalid. It could be the username or it could be the password. Saying that only the password is invalid hints to the fact that the supplied username actually is valid and that may be information that the site doesn't want to share.

Lix
  • 47,311
  • 12
  • 103
  • 131