lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Wed, 21 Sep 2011 04:37:08 -0500
From: adam <adam@...sy.net>
To: Dan Dart <dandart@...glemail.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Another minor facebook security flaw

TinEye never used to index Facebook, has that changed? Even if it has,
there's a half a dozen things wrong with that entire concept.

I've hit the /roadblock page quite a few times, and I've never been given
the same set of images. So unless it's easily reproducible (and wasn't just
a fluke for that account), I don't see the issue here. To even be able to
get to that page, you need the user's email address and password, no?
Secondly, I've only ever had to "verify my identity" after significant
changes in location. For example, a user who has only ever logged in from
Saint Louis, MO, one day randomly logging in from the UK would almost
definitely trigger it. Whereas logging in from the same city (and often ISP)
as the target, I've never been presented with it. Keeping that in mind,
wouldn't it make more sense to simply use a proxy as close to the target
[geographically] as possible?

Although, there's another flaw I noticed a while back with the image sets,
that may or may not still be present. In my tests, the majority of the
pictures being displayed were defaults - which I think is a way bigger issue
considering it'd take all of 5 minutes to write a script that scans the
users' friends and compares presented image with [user]'s image.

On Wed, Sep 21, 2011 at 3:51 AM, Dan Dart <dandart@...glemail.com> wrote:

> > there is a really neat image search engine. You point it at an
> > image (file->save image as?) and it will hunt down the URLs referencing
> similar images.
>
> You're probably thinking of TinEye (tineye.com) but Google Images does
> it now too.
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ