App_id欺骗和滥用
很抱歉,对于这个论坛来说,这是否太基本了,但是我已经想了好一阵子,所以我尝试了一下.我使用了IMDB app_id和一个伪造的URL,图像等,它返回了一条错误消息,提示我不允许这样做.好的.使用我的App ID尝试了同样的事情,它顺利通过了!恶搞墙贴似乎来自我的应用!绝对可以是任何东西!色情,网络钓鱼攻击,你叫它!
Sorry if this is too basic a question for this forum but it's been playing on my mind for a while so I tried it out. I used the IMDB app_id and a spoof URL, image etc and it came back with an error message saying that I wasn't allowed to do that. Good. Tried the same thing with my App ID and it sailed straight through without a hitch! Spoof wall posting appeared as if it came from my app! Could have been absolutely anything! Porn, phishing attack, you name it!
所以我的问题是我错过了什么.为什么只有IMDB允许使用他们的应用程序ID,而汤姆,迪克或哈利却可以使用我的应用程序ID?!
So my question is what have I missed. How come only IMDB is allowed to use their App ID but any Tom, Dick or Harry can use mine?!
如果您担心的话,可以采取两种措施来保护应用程序免受此侵害.
There are two things you can do to secure your apps against this, if you're worried.
-
在开发应用程序设置中打开
Stream post URL security设置(在高级">迁移"下).这样可以防止您的应用ID中的信息流帖子链接到除应用连接或画布URL之外的任何其他内容.
Turn on
Stream post URL securitysetting in your Dev App settings (under Advanced > Migrations). This will prevent stream posts from your App ID from linking to anything other than your Apps connect or canvas URLs.
编辑Server Whitelist(在高级">安全性"设置下)以仅包括您的应用程序服务器IP地址.这意味着将仅接受来自那些指定IP的API请求.
Edit the Server Whitelist (under Advanced > Security settings) to only include your apps server IP address. This will mean that only API requests coming from those specified IPs will be accepted.