Using the ASID Security Check Scripts

The ASID security check scripts are a precautionary measure in response to the security attack of September 2018. They are intended for apps that do not use the Facebook SDKs to implement login with Facebook. To understand the context and the importance of this precautionary measure for you and the users of your app, please first read the Facebook Login Update of October 2, 2018.

The ASID security check scripts are a package of command-line scripts for checking whether any of your Facebook-enabled app's users (identified by their app-scoped IDs, or ASIDs) are among those compromised in the recent session token theft. In this package, you should find:

  • A test data file named TEST.asid_check_file
  • A test data file named TEST.my_asids
  • Scripts in Python, Ruby, Java, JavaScript (Node), and PHP

Installing the Scripts

Download a zip file containing the ASID security check scripts by clicking the following button.

Download ASID Security Check Scripts

Unzip the files and put them in the same directory. All of the command line invocations assume that all files are in the same directory, that they are readable by the current user, and (where applicable) that the script file is executable by the current user. The JavaScript implementation also assumes Node is installed.

Testing and Running the Scripts

The scripts take three inputs:

  • Your app's app secret (available in app settings at developers.facebook.com)
  • The local path to a file that you downloaded from your app page, which contains hashes of ASIDs for users of your app who may be affected.
  • The local path to a file that you create, which is a newline-delimited list of ASIDs you wish to check.

Given those inputs, the scripts output a list of impacted ASIDs whose sessions you should invalidate.

You may test the scripts with the test data provided in the examples below. When you do, all scripts should give the following three lines of output.

90500276471969    
90970265033214    
90500276473585

You can test and run the scripts with the following language-specific examples.

Python

Testing:

./asidcheck.py bf59c7e03e77fd8ca375a0782ac7c898 TEST.asid_check_file TEST.my_asids

Checking live ASIDs:

./asidcheck.py <YOUR APP SECRET> <FB-PROVIDED ASID HASH FILE> <YOUR ASID LIST>

Ruby

Testing:

./asidcheck.rb bf59c7e03e77fd8ca375a0782ac7c898 TEST.asid_check_file TEST.my_asids

Checking live ASIDs:

./asidcheck.rb <YOUR APP SECRET> <FB-PROVIDED ASID HASH FILE> <YOUR ASID LIST>

Java

If you are using JDK version 9 or higher, use the following code to compile the scripts.

javac --add-modules java.xml.bind AsidCheck.java

Testing:

javac AsidCheck.java
java AsidCheck bf59c7e03e77fd8ca375a0782ac7c898 TEST.asid_check_file TEST.my_asids

Checking live ASIDs:

javac AsidCheck.java
java AsidCheck <YOUR APP SECRET> <FB-PROVIDED ASID HASH FILE> <YOUR ASID LIST>

JavaScript

Testing:

./asidcheck.js bf59c7e03e77fd8ca375a0782ac7c898 TEST.asid_check_file TEST.my_asids

Checking live ASIDs:

./asidcheck.js <YOUR APP SECRET> <FB-PROVIDED ASID HASH FILE> <YOUR ASID LIST>

PHP

Testing:

php asidcheck.php bf59c7e03e77fd8ca375a0782ac7c898 TEST.asid_check_file TEST.my_asids

Checking live ASIDs:

php asidcheck.php <YOUR APP SECRET> <FB-PROVIDED ASID HASH FILE> <YOUR ASID LIST>

Powershell

Testing:

./asidcheck.ps1 bf59c7e03e77fd8ca375a0782ac7c898 TEST.asid_check_file TEST.my_asids

Checking live ASIDs:

./asidcheck.ps1 <YOUR APP SECRET> <FB-PROVIDED ASID HASH FILE> <YOUR ASID LIST>

C#

Testing:

csc AsidCheck.cs
AsidCheck.exe bf59c7e03e77fd8ca375a0782ac7c898 TEST.asid_check_file TEST.my_asids

Checking live ASIDs:

csc AsidCheck.cs
AsidCheck.exe <YOUR APP SECRET> <FB-PROVIDED ASID HASH FILE> <YOUR ASID LIST>

Results

The scripts output a list of impacted ASIDs whose sessions you should invalidate. Do not be surprised to find that only a small number of ASIDs are affected. It is also possible that you have no affected users. If you run the scripts and get no output, check the following:

  • Run the scripts against test data according to the instructions above.
  • Double check that you are using the correct app secret for the app you want to check.
  • Double check that the app-scoped IDs (ASIDs) you are using are associated with the same app ID as the app secret you're using.

If everything checks out and you get no matches, none of the users you checked were affected.