Who can read your Facebook data?

Do you think about what/who you have given access to your facebook data, or even who can write on behalf of you on facebook.

What do Oauth2 means for the public? Why do it take more than 2 decades for people to transfer the common sense, that we have learned from living our life’s and passed on from generation to generation, to the internet.

I was at a dinner party this summer holiday where a topic came up about common sense on the internet and security. While we as developers might think the oauth2 flows are complicated, the first few times we read the spec, I fail to see why things need to be complicated for the end users. By complicated I am thinking about; why the public do not know what it means when they press accept on the consensus screen.

I have a brother who I assume presses yes to everything that says log in with Facebook – given that his wall get posted with advertising from time to time from 3party applications. I also have relatives that simply do not want to login with Facebook because of not knowing what happens. I believe it would help both parts if they knew more about what Oauth2 flows are and why it is not for authentication. 

A little experiment of mine: Try to press the settings button (top left corner) on Facebook, and then account settings. In the left side you now can find the apps button. Try to go over the list and check how many of the apps you actually use the day today. (See last login date). You properly can find a few apps you did not know (or remember) you had pressed accept for them reading your data.


You can even see what data they have accesses at what time.

I am hoping that developers in the future will make the consensus screens more user friendly by letting users understand what it means when they press accept. In ThinkTecture AuthorizationServer: Consent Screen and Refresh Tokens i think they are moving in the right direction by letting the user set the time for which the app have access among some other things.



comments powered by Disqus