How NOT to build a Facebook application
This evening I took a look at a Facebook application built for Big Yellow Self Storage called Big Yellow Competitions.
I was taking a look at how it was built and what systems they had employed when I saw an odd div with an id of "theAdminEnter", this div was hidden and when I changed its visibility a link appeared.
You can see it just below the heading on the left.
I was expecting this to link to another site where the competition can be managed but the developers kindly decided to build it into the application and decided to protect it through obscurity, a very stupid thing to do.
To my surprise clicking the link took me through to the screen below.
The admin screen seems to allow you to modify the entire thing including the competition answers, to the left of this are two links one which downloads a list containg the details of everyone who has entered the competition and another one entitled Clear Database which I didn't test!
I didn't try updating the application so it is possible it is protected but the download isn't, it contains the name, email address, Facebook id and age of 2500 people. It doesn't contain their answer so I presume it only saves correct entries.
The application has other flaws although not as bad as this one, for example the share on twitter link requests your twitter username and password rather than using OAuth, these are then sent as clear text to an un-secure page, I didn't test to see if it actually worked although I don't suppose it does.
I contacted the developing company before posting this giving them a chance to fix their problem so it should be a bit safer now.