Skip to main content

Resource Access Control in the Facebook Model

  • Conference paper
Cryptology and Network Security (CANS 2013)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 8257))

Included in the following conference series:

Abstract

We study the fundamental security properties of resource access control as suggested by the operation of current social networks including Facebook. The “facebook model”, which treats the server as a trusted party, suggests two fundamental properties, “owner privacy” and “server consistency”, and two different modes of revocation, implicit and explicit. Through black-box experimentation, we determine Facebook’s implementation for resource access control and we analyze its security properties within our formal model. We demonstrate, by the construction of explicit attacks, that the current implementation is not secure: specifically, we attack privacy with implicit revocation and server consistency. We evaluate the implications of the attacks and we propose amendments that can align the current implementation with all its intended security properties. To the best of our knowledge this is the first time that a security analysis of the Facebook resource access control mechanism is performed within a proper security model.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Subscribe and save

Springer+ Basic
EUR 32.99 /Month
  • Get 10 units per month
  • Download Article/Chapter or eBook
  • 1 Unit = 1 Article or 1 Chapter
  • Cancel anytime
Subscribe now

Buy Now

Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

Similar content being viewed by others

References

  1. Facebook: Data Use Policy | Facebook (October 15, 2012), http://www.facebook.com/about/privacy/your-info-on-other

  2. Facebook: Removal of offline_access permission (October 16, 2012), https://developers.facebook.com/roadmap/offline-access-removal

  3. Facebook: Access Tokens and Types (November 14, 2012), http://developers.facebook.com/docs/concepts/login/access-tokens-and-types

  4. Facebook: New security restrictions for OAuth authorization codes (November 14, 2012), https://developers.facebook.com/roadmap

  5. Chari, S., Jutla, C., Roy, A.: Universally composable security analysis of OAuth v2.0. Cryptology ePrint Archive, Report 2011/526 (2011)

    Google Scholar 

  6. Pai, S., Sharma, Y., Kumar, S., Pai, R.M., Ringh, S.: Formal verification of OAuth 2.0 using Alloy framework. In: Proceedings of the International Conference on Communication Systems and Network Technologies (CSNT), pp. 655–659 (2011)

    Google Scholar 

  7. Luo, W., Xie, Q., Hengartner, U.: FaceCloak: An architecture for user privacy on social networking sites. In: PASSAT (2009)

    Google Scholar 

  8. Lucas, M.M., Borisov, N.: flyByNight: Mitigating the privacy risks of social networking. In: WPES (2008)

    Google Scholar 

  9. Guha, S., Tang, K., Francis, P.: NOYB: Privacy in online social networks. In: WOSN (2008)

    Google Scholar 

  10. Baden, R., Bender, A., Spring, N., Bhattacharjee, B., Starin, D.: Persona: An online social network with user-defined privacy. In: SIGCOMM (2009)

    Google Scholar 

  11. Jahid, S., Mittal, P., Borisov, N.: EASiER: Encryption-based Access Control in Social Networks with Efficient Revocation. In: ASIACCS (2011)

    Google Scholar 

  12. Top 15 Most Popular Social Networking Sites (November 16, 2012), http://www.ebizmba.com/articles/social-networking-websites

  13. Hardt, D. (ed.): The OAuth 2.0 Authorization Protocol ( November 16, 2012), http://tools.ietf.org/html/draft-ietf-oauth-v2-31

  14. Carminati, B., Ferrari, E., Heatherly, R., Kantarcioglu, M., Thuraisingham, B.M.: A semantic web based framework for network access control. In: SACMAT, pp. 177–186 (2009)

    Google Scholar 

  15. Sandhu, R., Coyne, E., Feinstein, H., Youman, C.: Role-Based Access Control Models. IEEE Computer 29(2) (1996)

    Google Scholar 

  16. Kruk, S.R., Grzonkowski, S., Gzella, A., Woroniecki, T., Choi, H.-C.: D-FOAF: Distributed identity management with access rights delegation. In: Mizoguchi, R., Shi, Z.-Z., Giunchiglia, F. (eds.) ASWC 2006. LNCS, vol. 4185, pp. 140–154. Springer, Heidelberg (2006)

    Chapter  Google Scholar 

  17. Sun, S.-T., Beznosov, K.: The Devil is in the (Implementation) Details: An Empirical Analysis of OAuth SSO Systems. CCS (2012)

    Google Scholar 

  18. Lang, B.: Trust Degree Based Access Control for Social Networks. In: Proc. of the International Conference on Security and Cryptography (2010)

    Google Scholar 

  19. Ferraiolo, D., Kuhn, R.: Role-based access controls. In: 15th NIST-NCSC National Computer Security Conference, pp. 554–563 (October 1992)

    Google Scholar 

  20. Sandhu, R.S.: Lattice-based access control models. IEEE Computer 26(11), 9–19 (1993)

    Article  Google Scholar 

  21. Sandhu, R.S., Samarati, P.: Access Control: Principles and Practice. In: IEEE Communications Magazine, pp. 40–48 (September 1994)

    Google Scholar 

  22. Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations Among Notions of Security for Public-Key Encryption Schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998)

    Chapter  Google Scholar 

  23. Facebook: Using the signed_request Parameter, http://developers.facebook.com/docs/howtos/login/signed-request/ (March 18, 2013)

  24. Doshi, N.: Facebook Applications Accidentally Leaking Access to Third Parties - Updated (May 10, 2011), http://www.symantec.com/connect/blogs/facebook-applications-accidentally-leaking-access-third-parties (June 26, 2013)

Download references

Author information

Authors and Affiliations

Authors

Editor information

Editors and Affiliations

Rights and permissions

Reprints and permissions

Copyright information

© 2013 Springer International Publishing Switzerland

About this paper

Cite this paper

Chronopoulos, K., Gouseti, M., Kiayias, A. (2013). Resource Access Control in the Facebook Model. In: Abdalla, M., Nita-Rotaru, C., Dahab, R. (eds) Cryptology and Network Security. CANS 2013. Lecture Notes in Computer Science, vol 8257. Springer, Cham. https://doi.org/10.1007/978-3-319-02937-5_10

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-02937-5_10

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-02936-8

  • Online ISBN: 978-3-319-02937-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics