使用Facebook Connect和HTTP请求打破应用程序[关闭]
I have a voting app built on PHP that takes Facebook logins (uses PHP SDK). You need to connect with your Facebook account to vote. We decided to use Facebook logins to prevent vote frauds.
After logging in with the Facebook account, this is what happens:
- The login page has the hidden variables- userId, accessToken, name, email, gender, location, hometown, and link to the user profile - all of which are returned from the Facebook login.
- The user chooses an option in the poll and then the app records his choice along with his identification details (listed in the first point).
Now, here lies the problem. I can simulate an HTTP request with fake identification details and the app still thinks it's a legitimate request and so, records the vote. So, someone can set up a script to generate random identification details, send them over HTTP requests ultimately leading to a lot of fraud votes.
Maybe, after the poll closes, we can test with the profile URLs to see whether the profiles exist or not but again, two issues here:
- The intruder may use a list of valid user profile urls to create the fraud votes. If he does, we have no idea to find whether the vote was fraud or not.
- Isn't it a better idea to prevent fraud votes than sort out later?
So, is there a way to allow only legitimate logins through the app? Something like a test before recording the vote.
I guess, a CAPTCHA can help but that will interfere with a quick vote experience we want our users to have.
Thank You!
我有一个基于PHP的投票应用程序,可以通过Facebook登录(使用PHP SDK)。 您需要连接您的Facebook帐户才能投票。 我们决定使用Facebook登录来防止投票欺诈。 p>
使用Facebook帐户登录后,会发生以下情况: p>
- 登录页面包含隐藏变量userId, accessToken,名称,电子邮件,性别,位置,家乡以及用户个人资料的链接 - 所有这些都是从Facebook登录返回的。 li>
- 用户在民意调查中选择一个选项,然后选择应用 记录他的选择以及他的识别细节(在第一点中列出)。 li>
ul>
现在,问题在于此。 我可以使用虚假标识详细信息模拟HTTP请求,并且应用程序仍然认为这是合法请求,因此记录投票。 因此,有人可以设置脚本来生成随机识别详细信息,通过HTTP请求发送它们最终导致大量欺诈投票。 p>
也许,在民意调查结束后,我们可以测试 用于查看配置文件是否存在的配置文件URL,这里有两个问题: p>
- 入侵者可以使用有效用户配置文件网址列表来创建欺诈投票 。 如果他这样做,我们根本不知道投票是否是欺诈。 li>
- 防止欺诈投票不是一个更好的主意,而不是以后解决? li>
那么,有没有办法只允许通过应用程序进行合法登录? 在记录投票之前就像测试一样。 p>
我想,CAPTCHA可以提供帮助,但这会影响我们希望用户拥有的快速投票体验。 p>
谢谢! p> div>
Putting that stuff in the form, and doing nothing else is not the way to do this.
How this should work:
- User authenticates with FB.
- You use
$uid = $facebook->getUser();to get the userid for the user who has just logged in. If it is 0, the login failed. - Store the uid in the user's session.
- Let them vote.
- When the vote comes in, pull the uid out of the session. Ensure it is non-zero, ensure they have not voted before (if that is a restriction) and add their vote.
EDIT
Since I am not fully aware of the various methods available by the FB API, I would defer to @Igy on this (see his comment about retrieving an access token to verify the account). Though, I don't know what ability the user would have to be able to fake an account id returned by the API.