14 DAY TRIAL // After brainstorming for the last few days, Facebook engineers have come up with an encryption-based solution that would prevent third-party applications from inadvertently leaking user IDs (UIDs) via the HTTP Referrer headers.
UIDs are unique identifiers used on the Facebook platform to provide a personalized experience for users. For iframe-based applications, these user IDs are included in the iframe URLs.
However, when those apps load third-party resources, like advertisements for example, they pass the UID via the referrer URL in the HTTP request header.
The referrer field has existed in the HTTP specification since its very beginning and is one of the core elements of the Web.
It allows webmasters to tell where their visitors come from, identify broken links and compile other types of useful statistics.
Leaking sensitive information through referrer headers is a Web-wide problem, but Facebook's design allows advertisers to associate, at the very least, people's names and pictures with ad clicks.
This can be a serious privacy violation if, for example, a user happens to click on an ad for drugs treating a medical condition he's ashamed of.
Facebook's new plan to address this involves encrypting UIDs in iframe URLs with the secret keys of the loaded applications.
This ensures that apps will continue to have access to UIDs, which is vital for their functionality, but ensures that third-parties won't be able to use them if they are leaked via referrer URLs.
Of course, this only resolves unintentional exposures, because a rogue developer can always pass them along after decryption via other means if they want to.
However, this would be a violation of Facebook's terms of service and would entitle the company to permanently ban the offending applications and/or their creators.
"Our plan is to enable parameter encryption as an option over the next few weeks and to then work with the community to add support for this option to the various Facebook SDKs," said Mike Vernal, on Facebook's Developer Blog.
"Once the design is finalized, we will work with our developers to ensure a speedy transition to encrypted parameters," the Facebook engineer added.