Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

It's exactly what happened with the Cambridge Analytica scandal fwiw.

Users logged in to a quiz with an oauth token that asked explicitly for a huge set of the users Facebook permissions which then led to scraping and spam.

Oauth isn't very safe. Users don't read the grant prompt and mistake it for a login dialog rather than for an authorization to act as you dialog.

Facebook basically took oauth away after Cambridge Analytica. Note that the 'login with' authentication flow is different to this authorization flow they removed.

Oauth may have practical uses for users on GitHub but a warning dialog of the permissions granted absolutely is not enough. I think Cambridge Analytica can be treated as precedent here but ianal.



> that asked explicitly for a huge set of the users Facebook permissions which then led to scraping and spam.

I seem to remember early 2010s... I had written a few small FB apps, and ... the minimal permissions it would ask for from people were... large. IIRC, the minimal permissions always included access to friend lists, even when I had 0 intention of using that. I didn't want it, but there was no way to opt out. I suspect it's somewhat more granular now, and less intrusive out of the box, but... yeah, when your defaults/minimums are expansive, you'll get stuff like that. I think the CA stuff still happened while those defaults were in place (although they may have also asked for more permissions too).


Facebook API is today very granular and a lot stricter, in fact their system is borderline onerous for developers. They've obviously learned from the Cambridge Analytica situation, and I understand the need for the requirements, but unfortunately it also stops all smaller projects.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: