Thank You Page Sends Automatic Request to Facebook

VERIFIED FIXED

Status

--
critical
VERIFIED FIXED
8 years ago
7 years ago

People

(Reporter: mcoates, Unassigned)

Tracking

Details

(Whiteboard: [infrasec:other][ws:critical], URL)

Issue

Loading the thank you page, which is used to generate the users pdf membership card, automatically sends a GET request to Facebook.  This is performed before any action is taken by the user.  This could be used by facebook to track users that view the Mozilla thank you page. The actual HTTP request is captured below.

Recommended Remediation
1. Modify the page to eliminate the initial request to facebook unless the user specifically clicks on the facebook link
2. Review to determine if this in compliance with our privacy policy



HTTP Request

GET /extern/login_status.php?api_key=198340516862242&app_id=198340516862242&display=hidden&extern=2&locale=en_US&method=auth.status&next=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df28e4d9f64f3bbe%26origin%3Dhttp%253A%252F%252Fwww-stage.mozilla.org%252Ff2fb2bcc09269c%26relation%3Dopener%26transport%3Dpostmessage%26frame%3Dffdd3a40256ab6%26result%3D%2522xxRESULTTOKENxx%2522&no_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df320c372d25b9a4%26origin%3Dhttp%253A%252F%252Fwww-stage.mozilla.org%252Ff2fb2bcc09269c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dffdd3a40256ab6&no_user=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df38d61ff868045c%26origin%3Dhttp%253A%252F%252Fwww-stage.mozilla.org%252Ff2fb2bcc09269c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dffdd3a40256ab6&ok_session=http%3A%2F%2Fstatic.ak.fbcdn.net%2Fconnect%2Fxd_proxy.php%3Fversion%3D0%23cb%3Df232a82e8990298%26origin%3Dhttp%253A%252F%252Fwww-stage.mozilla.org%252Ff2fb2bcc09269c%26relation%3Dparent%26transport%3Dpostmessage%26frame%3Dffdd3a40256ab6&sdk=joey&session_version=3 HTTP/1.1
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.6; en-US; rv:1.9.2.13) Gecko/20101203 Firefox/3.6.13
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 115
Proxy-Connection: keep-alive
Referer: http://www-stage.mozilla.org/join/thankyou.en.html
Cookie: wd=1177x490
Copying in Alex and Julie to get privacy and legal input.

Comment 2

8 years ago
This is definitely something we should look into asap.  Off the top of my head, I don't think it complies with our privacy policy.

I think we should call BSD asap and ask them to remove this feature.

I am adding Ryan and Jane as they have ongoing contacts with BSD, and I'm adding Harvey.
BSD had nothing to do with the implementation of this feature. It was created by crowd favourite and doesn't touch the BSD landing page. It is generated by code on a Mozilla-hosted page.

Comment 4

8 years ago
Can you remove it?
I'm going to copy in crowd favorite and see if the can develop an alternative way to update to Facebook. If they can't, then yes, but I'd like to see if they can come up with an alternative first.

Comment 6

8 years ago
I don't think the intention was to have this happen automatically without the user's consent. If consent is given, could we make it comply with our privacy policy?
As we understand it, the get request is the JavaScript API checking on the user's logged-in state so that it can serve the right interface once the Facebook action is fired (the link "Facebook" to run FB.ui).

As far as we know, this is expected behavior for all Facebook JS-based plugins.
After re-reviewing the FB.init (called on page load), we can set "status" to false and "cookie" to false to avoid any fetching:

http://developers.facebook.com/docs/reference/javascript/fb.init/

We've tested and confirmed this does not perform the login_status.php request in a development environment:

http://cfdev21.com/thankyou.php
(In reply to comment #8)
> After re-reviewing the FB.init (called on page load), we can set "status" to
> false and "cookie" to false to avoid any fetching:
> 
> http://developers.facebook.com/docs/reference/javascript/fb.init/
> 
> We've tested and confirmed this does not perform the login_status.php request
> in a development environment:
> 
> http://cfdev21.com/thankyou.php

I took a look at the dev url and it looks good. No requests are made to facebook unless the user explicitly clicks on the facebook link.
The automatic request issue is fixed. But it looks like the facebook URL may not be quite right.  I'll hold off on closing this bug until we are fully happy with the change.

When clicking on the facebook URL I get the following error within the facebook page:


Invalid Argument

Given URL is not allowed by the Application configuration.
Thanks, Michael. The Facebook app API was still expecting the old dev server URL (cfdev21.com) for testing purposes.

Tested OK: https://img.skitch.com/20110303-d5icfg38knnrhxhbaxkk1pjha8.png

It's now been switched to point to www-stage.mozilla.org/join/ and is allowed to run on mozilla.org domains.

Of course, we will certainly want to double check this functionality before pushing live.
Looks good.
Status: NEW → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → FIXED
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.