UPDATE: After conversations with a friend, I made a few changes. Specifically, the fbuid is usable on your site, just don’t use it together with the JS library and don’t trust the browser.
User privacy is non-negotiable and developers should be as responsible as Facebook.
How to secure your FB Connect Implementation (so your users don’t get fb-yelp-gibbed):
OLD REST API
- DON’T use the JS library (violating this amplifies your users’ exposure; see EXCEPTION below)
- Push all FB connect requests through your backend
- DON’T STORE a userid or fbid in a cookie (only use fbuid client-side for externals; server should never trust browser-supplied fbuid)
- DO store your user’s fbid and/or userid, only, on your server
- Never give client-side (JS, scripts, etc.) access to userid or fbid
When appropriate, verify the FB user is who they say they are by using auth.* methods, linked below; if you’re not sure what these do or what they’re for, give yourself 2-4 weeks to understand the ins and outs. OR, See OAuth comments below (and transition to OAuth).
For iPhone/Android, learn how to proxy FB connect requests so you NEVER store your API “secret” on the phone.
The only communication between your users browser or device and your fb-app should be whether or not the user has been authenticated. Even then you should also utilize the rest/auth.* (server-side) methods to ensure the user actually authenticated.
NEW OAUTH API
Same as above. NEVER send API calls from JS in the browser! Read the authentication guide and understand every concept:
The other exception here is if you really know what you’re doing and you’ve been dealing with XSS and browser authentication for a decade. In that case, I’m sure all of your application’s assets are served statically (or through SSL), your JS is locked down with a fine-tooth comb, you don’t let any advertisers or user-content sneak in HTML or JS, and you don’t store your FB API secret on the client.
BUT WHAT ABOUT PRIVACY / PAI
A site with a significant user-base and an improper FB Connect implementation will, by proxy, give an attacker delegation to all of the private data that site has access to. Digg being hacked = digg FB users exploited, Yelp exploited = Yelp FB users screwed — you get the idea.
Please, don’t be that site. It’s easy to blame Facebook, but, all they’ve done is made public data public.