lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Mon, 19 Sep 2011 22:04:23 -0700 (PDT)
From: James Fife <theriverfife@...oo.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Another minor facebook security flaw

I noticed a recent flaw in Facebooks security resolution process recently. After being asked to confirm my identity simply because I was using a different computer, I apparently took too long to identify my friends in their photos. However, I was able to try two more times before being locked out. In which case Facebook provided the exact same photos with the same selection of people to name in order to confirm my identity. What this means is that I could conceivably attempt to logon to a victims Facebook account from an unauthorized device to get such a prompt, and then take my time to research the answers.Twenty minutes was the approximate time before my session expired, which gives roughly one hour to come up with the answers. This may not seem terribly difficult given the proclivity with which people tag their friends or publish photos on blogs. It would be even easier if the victim and attacker had a mutual friend in common on Facebook, as they
 would likely be able to see a lot more photos. In fact, perhaps even searching each name in Facebook could show the face, which would allow for the questions to be answered correctly.This isn’t a minor flaw in any sense of the word, however it does seem quite possibly that the process as it is now implemented could be abused in conjunction with other vulnerabilities to gain access to someone’s account. I hope that at the least this will foster some interesting discussion on why what I have described is a non issue, or result in a fix.
Taken from : http://allthatiswrong.wordpress.com/2011/09/19/another-minor-facebook-security-issue/

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ