在 javascript 中公开 facebook 用户访问令牌有哪些安全风险? [英] What are the security risks in exposing facebook user access token in javascript?

问题描述

假设我的应用程序对某个 facebook 用户有一个访问令牌.将 JS 代码中的这个访问令牌暴露给访问我网站的其他用户是否存在安全风险?如果是这样，他们可以用它做什么?

Suppose that my application has an access token to some facebook user. Is there a security risk in exposing this access token in JS Code to some other users which visit my site? If so, what can they do with it?

推荐答案

您有风险

1. 困惑的代理人 -- 您的代码正在向可能有意滥用这些特权的代码授予特权或代表更多恶意代码行事.
2. 通过代码注入 (XSS) 窃取凭据 - 凭据可能会被注入的代码窃取通过 XSS 漏洞攻击您的页面，然后用于代表用户采取行动，可能会生成将您列为罪魁祸首的日志.
3. 通过窃听窃取 -- 如果浏览器和您的服务器之间的连接有非 HTTPS 内容，则具有读取数据包能力的窃听者可能会窃取凭据.
4. 恶意软件盗窃 -- 如果用户的计算机上正在运行恶意软件，则将这些凭据发送到浏览器会将它们暴露给该恶意软件.恶意软件可能必须读取浏览器进程拥有的内存或浏览器写入的缓存文件.

1. Confused deputy -- your code is granting privileges to code that might abuse those privileges either intentionally or by acting on behalf of yet more code that is malicious.
2. Theft via code injection (XSS) -- the credentials could be stolen by code injected into your page via an XSS vulnerability and then used to act on the user's behalf, possibly generating logs which indict you as the culprit.
3. Theft via eavesdropping -- if there is non-HTTPS content going across the connection between the browser and your server, then an eavesdropper with the ability to read packets could steal the credentials.
4. Theft by malware -- if there is malware running on the user's computer, then sending those credentials to the browser exposes them to that malware. The malware would probably have to read memory owned by the browser process or cache files written by the browser.

这篇关于在 javascript 中公开 facebook 用户访问令牌有哪些安全风险?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！