Auto Like Facebook No Token
Cori Riska
I'd like to be able to authenticate myself (my profile, not just my app) on my own web application using the Facebook C# SDK. Using the Graph API, I can get an access token, but that token does not seem to work properly with the Facebook C# as it seems to be stateless.
I'm storing long-lived access tokens for users of my application that have associated their Facebook accounts to it. Since the demise of the offline_access tokens, these long-lived tokens have an expiry date of "about 60 days." However, they can refresh themselves when the user interacts with Facebook. According to the documentation:
These tokens will be refreshed once per day when the person using your app makes a request to Facebook's servers. If no requests are made, the token will expire after about 60 days and the person will have to go through the login flow again to get a new token.
What I'd like to know is what constitutes making a request to Facebook's servers. Does the user have to log in to the Facebook website, mobile app, or use a Like button somewhere? Or does my application making a request on behalf of the user count as well?
Every time you use Facebook SDK so it makes any Graph API call, tokens will be refreshed. You can see this in their source code, in AccessTokenManager there is function extendAccessTokenIfNeeded(), and that function is called inside GraphRequest in function executeConnectionAndWait().
The section you pulled out refers only to iOS and Android apps using the Facebook SDK - the SDK makes an API call to extend the token, which will only work from the SDK and for tokens produced by the native mobile SDKs-
California recently amended its Automatic Purchase Renewals law. The amended statute - effective July 1st -- require marketers to provide consumers of automatic renewal or continuous service offers with more information and easier ways to terminate. Because California's rules touch most marketers and auto-renew programs draw a lot of scrutiny from state and federal regulators, we want to provide you with a top-line on the changes. Here's what you need to know.
What are automatic renewal programs?
Think subscriptions, like that bag of pet food you have delivered every month, the Spanish language teaching app, or that publication you have delivered to your in-box every day. Auto-renew programs allow companies to provide goods and services to a consumer on an ongoing basis unless and until she cancels her plan. They are a form of "negative option" program. Prior to cancellation, the marketer considers the consumer to have consented to the new goods and services, as well as the charges for them. Although such plans can be very convenient for consumers, they can also be problematic if consumers thought they were signing up for a single order rather than a program where their credit cards will be charged on an ongoing basis.
Regulation
At the federal level, the Restoring Online Shoppers' Confidence Act ("ROSCA") governs automatic renewal programs. ROSCA was enacted in 2010 to address the problem of consumers unwittingly signing up for ongoing subscriptions resulting in multiple charges on their credit cards. (Prior to ROSCA, deceptive negative option programs were subject to FTC enforcement under the agency's general Section 5 authority and, for certain programs, under the agency's Negative Option Rule.) ROSCA sets forth certain baseline requirements, including that marketers obtain unambiguous consent for the "negative option" feature of their sales. Specifically, ROSCA requires marketers to:
The FTC regularly brings enforcement actions against companies for failing to make appropriate ROSCA disclosures and failing to obtain consumers' affirmative consent. These cases make clear that hidden disclosures with pre-checked boxes do not constitute "affirmative consent." The cases also require marketers to make consumers aware of all the material terms of the plan, and ensure that consumers take some type of affirmative action before marketers may automatically charge their cards on a continuing basis.
California's new rules
Several states also regulate auto renewal programs, most notably California - where an active plaintiff class action bar has brought many costly suits against marketers of auto-renew programs.
Like ROSCA, California's Automatic Purchase Renewals law was also enacted in 2010. Also like ROSCA, the statute requires marketers offering automatically renewing plans to make clear and conspicuous disclosures about those plans and to obtain consumers' affirmative consent to ongoing charges. Unlike ROSCA, however, the California statute includes some very specific requirements for marketers offering such plans. And, beginning July 1, due to amendments enacted last fall, the statute's requirements will become even more stringent. In addition to requiring clear and conspicuous disclosures and affirmative consent, the law requires marketers to:
If you have any questions about the new California rules, ROSCA, or other advertising compliance matters, please contact Terri Seligman at (212) 826 5580 or tsel...@fkks.com, or any other member of the Advertising, Marketing & Public Relations Group at Frankfurt Kurnit.
On October 3, 2022, the Securities and Exchange Commission (SEC) announced that it entered into a $1.26 million settlement with Kim Kardashian over her social media promotion of the EMAX token without disclosing payment she received from token issuer, EthereumMax. The matter provides important lessons for advertisers. Read more.
The Federal Trade Commission ("FTC") and the State of Maine have announced a $2 million dollar settlement with ad agency Marketing Architects, Inc. ("MAI") for deceptive weight-loss claims. Read more.
Crawling: We leverage python-sitemap, a python library to generate a sitemap for a given seed url. We modified the source code of this library to output a file called urls.txt that contains all public urls of the given website. This file will later on be used by the CSP Generator as an input. CSP Generator will visit each url inside urls.txt to collect script sources. Our crawler is also capable of taking cookies as input and crawl behind-the-login pages.
CSP Generation: The goal of CSP generator is to collect script resource urls given a clean target url to devise the allowlist. CSP Generator takes urls.txt as an input and visits all urls with a headless Chrome instance. We use the seleniumwire python library as a man-in-the-middle proxy to catch the requests and responses made while visiting the urls. The request interceptor of CSP Generator, intercepts the request to add the cookies and records the requests that are made to same-party or third-party javascript resources.
Rewriting: In the rewriting phase, we have the following two main goals: modify the source code of a web-application to add nonces to scripts so that CSP will recognize them as benign and allow execution and set the proper CSP header for the webpage.
A web-application can be based on different backend languages such as PHP and Ruby. It can also be built on a content management system (CMS) such as WordPress and Drupal. According to W3C [9], 36% of websites do not use any CMS and 65% of websites that use one, use WordPress which is based on PHP so we decided to build our system for PHP. Our python-based program goes over all PHP files in the source code and replaces script tags with a script tag concatenated with the nonce attribute.
One of the ways to set a CSP header is to use PHP header() function. The proper location to add this function can change according to the used CMS. For example, by default, WordPress has a file called header.php where we can add the desired CSP configuration. The location of this header.php file is always the same by default and should not be altered. Hence, to set the CSP pairs, we locate this file and add our generated CSP pair by using two header() functions.
Evaluation of Effectiveness. The source code of real world popular websites is not publicly available. Testing our approach on these websites is however important, since it would be an indication that EASYCSPEASY can protect them from XSS without breaking their functionality. To addres this issue we developed a proxy testing system, and tested it on popular websites obtained from the Tranco [4] ranking. Our proxy-system outputs a similar HTML code given a URL to our EASYCSPEASY system. The difference between them is that the proxy-system modifies the response from the server on the fly when a webpage is requested by the client whereas EASYCSPEASY runs on the server-side once per web-application. We implemented the proxy-system in python using the mitmproxy library to intercept the requests and the responses. We used the BeautifulSoup package to parse the server responses. The process of the proxy-system is similar to EASYCSPEASY. We assume the given url is clean (does not contain attacker injected code) since EASYCSPEASY runs on the server-side, urls are guaranteed to be clean. We visit each input url and collect script resources then we modify the server response to add nonces to scripts and add the curated CSP to the HTML response. We tested 10 pages each for 10 popular websites including twitter.com, facebook.com and reddit.com. By manual analysis, we observed that 9 out of 10 websites were still fully-functional when modified with our proxy-system, indicating that EASYCSPEASY could be deployed on those websites.
We are now in the process of implementing a version of EASYCSPEASY that automatically re-writes the source code of popular content management system applications like WordPress and Drupal to set up our CSP policies.
Funding plans. As discussed in the original proposal, now that we have a working prototype of our anti-XSS solution we plan to write a grant proposal to get additional funding and continue working in this space. More precisely, we plan to send a whitepaper to our contacts at ONR, ARL, and AFOSR to gauge their interest in the project. We also plan to write an NSF proposal and submit it to the Secure and Trustworthy Cyberspace (SaTC) program in Spring 2022.
b37509886e