
Why Facebook's API starts with a for loop - AntonyGarand
https://dev.to/antogarand/why-facebooks-api-starts-with-a-for-loop-1eob
======
cynik_
When I interviewed at Facebook as a new grad 7 years ago, I used my "Ask your
interviewers a question" time to ask precisely this because I'd been trying to
play around with the client side javascript and the constant infinite for loop
always stood out to me.

~~~
hluska
Cool story! How did it end up?

~~~
cynik_
Been working there since :). I got a better/full answer after joining from one
of the security engineers giving one of the starting training talks.

~~~
hluska
Congratulations! That's a heck of a good story - thanks for sharing.

------
Filligree
This, and this sort of thing in general, are why I'm not very enthusiastic
about security on the web.

Facebook and Google can avoid security holes like these, sure. Perhaps you
will too -- that is, you'll avoid this particular one. What about the fifty
others, subtly interdependent sources of security problems?

------
foreigner
Google's version is half the size of Facebook's! I love that some engineer
went to the trouble of saving four bytes.

------
fenwick67
Yet another reason third-party cookies shouldn't exist

------
commandlinefan
Of course, another approach to securing data might be to stop using things for
purposes they weren't designed to be used for in the first place... I'm afraid
I don't see that happening any time soon, though.

~~~
AntonyGarand
While the attack is using things for a different purpose, using JSON to
provide data to a website is totally legit.

I don't see how people could have prevented this without the knowledge of such
an attack

------
wesleytodd
I think this is outdated. I tried in Chrome, FF and Safari, and even when I
follow what the original linked article does it still does not work.

------
CodesInChaos
Just use explicit authentication for API endpoints. Explicit authentication
prevents this attack, CSRF and other confused deputy problems.

------
pleasecalllater
Amazing site, it tells me that I'm offline :)

~~~
ndarilek
What's the deal with this? The Atlantic, Wired, and dev.to all tell me I'm
offline on first load. I have to use ctrl-shift-R to get any page content, and
I've never been offline when this happens.

I mean, I'm assuming there are service worker shenanigans at play here, but
given that it's always wrong about my online status, this seems like a fairly
big bug on someone's part. Just wish I knew where to file or check its status.

