Cognitive disconnect: Understanding Facebook Connect login permissions WORKING DRAFT Nicky Robinson Joseph Bonneau Princeton University Princeton University [email protected] [email protected] ABSTRACT Facebook Connect, like many SSO systems based off of We study Facebook Connect’s1 permissions system using the OAuth protocol, does more than just allow a user crawling, experimentation, and surveys and determine that to sign in: sites can request access to read parts of the it works differently than both users and developers expect in user's Facebook profile or write data back their pro- several ways. We show that more permissions can be granted file. This has been sufficient in practice to overcome than the developer intended. In particular, permissions that the lack of adoption incentives for relying parties which allow a site to post to the user’s profile are granted on an has plagued many other SSO systems on the web [25]. all-or-nothing basis. We evaluate how the requested permis- A second important selling point is that Facebook sions are presented to the user and find that, while users gen- Connect requires user approval and requires relying erally understand what data sites can read from their profile, sites to request a specific set of permission from the they generally do not understand the many different things user up front before reading or writing data from the the sites can post. In the case of write permissions, we show user's profile. These are presented to the user in a se- that user expectations are influenced by the identity of the ries of dialogs (shown in Figure 1) which the user must requesting site which in reality has no impact on what is en- accept prior to logging into a relying site for the first forced. We also find that users generally do not understand time. In the words of Facebook \The user will have the way Facebook Connect permissions interact with Face- total control of the permissions granted" [20]. book’s privacy settings. Our results suggest that users under- Effective user control relies both on Facebook grant- stand detailed, granular messages better than those that are ing only the permissions intended by developers and on broad and vague. users correctly understanding the permission requests they authorize. We will explore both questions in this Categories and Subject Descriptors paper and show that: D.4.6 [Security and Protection]: Access Controls • Facebook Connect sometimes asks the user to au- thorize more permissions than the developer in- General Terms tended to request. Security, Human Factors • Write permissions are granted to sites on an all- or-nothing basis. For example, if a site wants to Keywords update the user's status, it must also gain permis- Online social networks, permissions, privacy, Facebook sion to upload photos. 1. INTRODUCTION • Users generally understand which read permis- sions are being requested when they log in, al- Single Sign-On (SSO) systems allow users to log in though many don't realize they are granting ac- to websites (called relying sites or relying parties) using cess to data they have marked as private using their username and password from a third-party iden- their privacy settings. tity provider. This creates fewer passwords for users to remember, theoretically meaning that they can have • Users generally do not understand the variety of more complicated and therefore more secure passwords write permissions sites will receive upon autho- [23]. Facebook Connect is perhaps the most popular rization. This indicates that, despite Facebook's SSO system on the web today. A key reason is that claims that all-or-nothing write permissions are 1Facebook Connect is now technically called Facebook Login \simpler" for users to understand, users the more but is still frequently referred to as Facebook Connect. granular read permissions much better. 1 Figure 1: Examples of messages presented to the user. From left: Read permissions message from Yahoo.com, write permissions message from Pinterest.com, and extended permissions message from AddThis.com. • User are influenced by the identity of the relying from integrating Facebook Connect login with a test site party, for example, they are much more likely to and crawled data from several hundred relying sites. understand a photo sharing website can upload photos to their account. This suggests users are as- 2.1.1 Obtaining a list of relying sites suming a contextual integrity model of privacy [21], To obtain a list of relying sites implementing Face- although this not implemented technically. book Connect, we started with the most recent (Octo- ber 2013) AppInspect [19] database of 25,000 Facebook 2. IMPLEMENTATION OF FACEBOOK apps. We filtered this list down to about 400 apps with CONNECT PERMISSIONS an external site listed on the Facebook App Center. Fi- nally, we manually examined these to find 91 which had The first step in determining whether the permissions a Facebook Connect login. system provides users with effective control is under- Unfortunately, the AppInspect database does not in- standing which permissions are actually being granted clude apps that are used solely for Facebook Connect, when a given authorization message is displayed. Face- only those that have native Facebook apps. To make book Connect's process of a site requesting permissions up for these deficiencies, we took the Alexa Top 500 [2] from a user can be broken down into three steps: websites from February 27th, 2014 and manually iden- 1. During login flow, relying parties request a set tified those with Facebook Connect logins (112 sites). of permissions from the Facebook Connect API. Combining these two lists yielded a diverse list of 203 We'll call this set the requested permissions. sites, about half which receive heavy traffic (those from the Alexa Top 500) and about half of which do not 2. Facebook receives the requested permissions and (those from the AppInspect database). translates them into a set of permissions for ap- For crawling we used OpenWPM, a Selenium-based proval which we'll call the granted permissions. web crawler being developed by the Princeton Cen- 3. Facebook translates the the granted permissions ter for Information Technology Policy (CITP). We per- into a dialog presented to the user for approval. formed automated logins to all 203 sites and recorded We'll call the text the displayed permissions. the requested, granted, and displayed permissions. Twenty-six of the 203 sites used an older implemen- Ideally, these three sets of permissions would be iden- tation of Facebook Connect; this paper will focus on tical and the text shown to the user would clearly rep- the 177 with the current format. resent them. In this section we'll explore the difference between the requested and granted permissions; we'll 2.2 Requested permissions discuss the relation of the displayed to granted permis- Developers request permissions in a parameter called sions in Section 3. \scope" or \data-scope" when the login process is initi- ated using Facebook's JavaScript SDK, Facebook's lo- 2.1 Methodology gin button, or a manually built login system [14]. The Unfortunately, Facebook's own documentation [10] is developer can request any of the permissions listed in incomplete and sometimes outdated. As such, there the documentation [13], although some are deprecated is very little explanation of how requested permissions and will have no impact on the granted permissions. are eventually translated into permissions displayed to The scope parameter is visible in the URL of the page the user. To gain a better understanding, we combined where the user is asked to approve permissions (see Fig- information from the documentation with observations ure 2). We confirmed using our test site that this value 2 is indeed exactly what the developer requested. Read Permissions user activities, user about me https://www.facebook.com/dialog/oauth?app id=138615416238413 friends activities, friends about me &domain=www.timecrunch.me&response type=token%2Csigned re email, contact email quest&scope=email%2Ccreate event%2Coffline access%2Cuser gr read stream, export stream oups%2Cfriends groups%2Cpublish stream... Write Permissions Figure 2: Example requested permissions (colored in create note, upload photos, upload videos, red) shown in the scope parameter of the approval page publish actions, publish checkins, publish stream, URL for timecrunch.me. share item, status update Extended Permissions 2.3 Granted permissions rsvp event, create event Facebook receives the requested permissions and Table 1: Groups of permissions which area always translates them into a set of granted permissions which granted together if any are requested. may exclude requested permissions which are depre- cated or in some cases add additional permissions. Two permissions are always added regardless of what is re- (such as liking an article) requires the publish actions quested which Facebook calls \Basic Info/Default per- permission. However, if the create note permission is missions"[14]. These are public profile, which gives ac- requested, publish actions will also appear as a granted cess to the user's public profile, and user friends, which permissions and this will allow stories to be published. gives access to the user's friends list. The documenta- Through experimentation with our test site, we deter- tion does not mention any other permissions that may mined exactly which permissions are always grouped be granted outside of what the developer requested. together, listed in Table 1. If any one permission in The approval page presented to the user has three a group is requested, all permissions in the group are hidden input HTML elements named read, write, and granted. We noted that permissions which are always extended whose values are the granted permissions (see granted together are displayed to the user with a single Figure 3).