Recently, Facebook began emailing a small subset of JFBConnect user's notifying them that their application may be in violation of Facebook policy by inadvertantly leaking some user data. We have researched this situation thoroughly, and feel these emails are in error, but would like to obtain as much information from our users about their configuration as possible.
When a user authenticates through Facebook on your site, a unique security token for that user is handed from Facebook to your site. That token then allows JFBConnect to connect to Facebook to retrieve information about that user without any further authentication.
In some authentication methods that Facebook allows, the security token is passed in the URL query string. If the page on your site that receives this special URL is also loading content from a separate domain (through an img tag, iframe, or javascript inclusion), the token can be 'seen' by this 3rd party if they look at the referrer header in the page. The referrer header is simply a way for a 3rd party to know where requests for it's content is coming from, and is a standard internet mechanism.
Once sent to a 3rd party, even inadvertantly, that outside source would have access to the user's information just as if they were your application.
As far as we can determine, in no way is JFBConnect leaking user data by passing the token to 3rd parties. Using the tool Fiddler2, which allows us to inspect the full login/authentication process, we've put together the following 4 minute video. In this demonstration, you can see the actual data leak in action, not using JFBConnect, and how JFBConnect handles the login process in the correct way:
Currently, we're unsure why a small amount of our users have received this email (currently under 1% from the reports we've received). While we are continuing to test, if you can please take the quick survey linked below to let us know a little about your configuration, we'd appreciate it. Due to JFBConnect's many different login capabilities and integration with 3rd party Joomla extensions, it's difficult to test every combination thoroughly. Through this questionnaire we'll be able to see if there are any common settings which are triggering the email from Facebook. All survey answers will remain confidential:
If you've received an email from Facebook, please take the questionnaire.
Additionally, if your email states that you should contact them once you've resolved the issue, please do so. Let them know that you think you are not affected.
