Facebook session cookie should be reset when server password is changed [answered]

asked 2014-12-01 00:06:17 +0200

mdoube gravatar image

updated 2014-12-01 00:06:57 +0200

If I change my Facebook password through its main website with e.g. a laptop browser, Jolla's Settings > Accounts screen tells me 'Not signed in'.

However, this change has not propagated to Jolla's web browser, which is still able to browse Facebook using old credentials or perhaps a session cookie or similar. Clearing cookies and web cache and reloading Facebook with the browser does the correct thing and loads a login page.

Perhaps if Jolla detects that the password to an account has changed on the server, it removes session cookies / tokens / whatever (i.e. all ways Jolla could access the service using stale credentials) and locks out the clients which are accessing the services, and notifies the user to update the credentials stored in Jolla. This is a major security bug, because if your Jolla is being used by an untrustworthy third party to access your data, and you try to lock them out by changing passwords on the server, the said third party is not locked out!

edit retag flag offensive reopen delete

The question has been closed for the following reason "the question is answered, an answer was accepted" by mdoube
close date 2014-12-01 22:32:15.417097

Comments

I believe thia is FB undocumented issue that affect many user using PC and mobile as well, not just Sailfish. The problem with the token is still accessible even it is expired.

mikojoko ( 2014-12-01 05:15:50 +0200 )edit

@mikojoko - Yup you are right, oauth2 tokens can live until they are revoked(server side) or expire(they have a time limit, when new one should be requested), nothing can be done here.

VDVsx ( 2014-12-01 18:31:51 +0200 )edit

@VDVsx nothing can be done on Jolla device programming side perhaps - what about contacting Facebook security team to inform them of this massive hole? I hope that direct contact from Jolla on behalf of users would carry a bit of weight

mdoube ( 2014-12-01 20:36:12 +0200 )edit
1

@mdoube - Unless I misunderstood you, there's no security hole, accounts password does not have anything to do with browser, my above explanation is just about the accounts, browser auth will work like any other browser auth will expire after a while, you can close the sessions on server side as well if you want, this is known to Facebook no need to tell them, that's why there's such option :)

VDVsx ( 2014-12-01 21:14:02 +0200 )edit
1

@VDVsx OK thanks for the explanation will take a closer look at Facebook's pages and close this report.

mdoube ( 2014-12-01 22:31:04 +0200 )edit