Facebook plans to roll out encryption to prevent applications from sharing Facebook User IDs.
Facebook plans to use encryption to block Facebook applications from leaking user identification numbers.
The data exposure was reported earlier this week
and was due to the sharing of user IDs via the HTTP Referrer
Header. The culprits included some of the site's most
popular applications, including games such as FarmVille and Texas
In a blog post
Facebook engineer Mike Vernal announced that the company plans to
address the issue by encrypting the parameters it passes to
"The proposal builds on our recent support for a parameter called
signed request which is inspired by our discussions in the OAuth
community," he wrote. "We will start encrypting this parameter as well,
using the application's secret key, so that only the application will
be able to read this information. This will prevent the accidental disclosure of this information
via HTTP headers."
"Our plan is to enable parameter encryption as an option over the
next few weeks and to then work with the community to add support for
this option to the various Facebook SDKs," he continued. "Once the
design is finalized, we will work with our developers to ensure a
speedy transition to encrypted parameters."
Facebook has made technical details of the proposal available here
The fallout from the revelations has already led to a lawsuit against Facebook
developer Zynga - the creator of some of the site's most popular games,
including FarmVille and Mafia Wars - as well as an inquiry from two Congressmen seeking
answers from Facebook CEO Mark Zuckerberg.
While he said the problem had been exaggerated, Vernal noted that
user ID numbers can be used to identify Facebook users and "link
actions at other Web sites to a Facebook identity."
"When a Facebook user requests a Web page with images or other
resources, the user's browser may send HTTP header information that
includes the URL of the Web page," he wrote. "For a particular type of
Facebook Platform application, an iframe-based canvas application that
includes a third-party iframe or resource, the HTTP Referrer header may
include the user's UID number once the user has authorized the
application...[The User ID number is] what allows Web pages to include
information about one's friends. Unfortunately, it can also compromise
user privacy, particularly if the user is not aware that his or her UID
is being shared."
While the encryption proposal will address the inadvertent sharing
of this information on Facebook, it will not fix the underlying issue
of data sharing via HTTP headers, which is a Web-wide problem, he added.
"We look forward to working with the Web standards community and
browser vendors over the coming months to help address this issue,"