Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

the moods app forgot to verify_sig on that request. i'm betting there are a lot of facebook apps like that.



I don't see why there would be a lot. Client libs usually take care of that. I don't know what these guys are doing here.


The client libs handle everything for you if you use fbml, since every request is proxied by facebook and has its own signature. If you use an iframe, like the Moods app and many other popular apps, requests go directly to your server, so you have to explicity include and validate a signature for each request.

It's still not terribly difficult, but most facebook app devs are trying to churn out apps and features so fast that there's no time for this kind of detail.




Consider applying for YC's Fall 2025 batch! Applications are open till Aug 4

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: