| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 19 Jun 2013 14:45:38 GMT From: jjshoe@...il.com To: bugtraq@...urityfocus.com Subject: Facebook critical design flaw On or around September 27, 2012 I disclosed to Facebook through https://www.facebook.com/whitehat/report/ a critical design flaw in how users share photos using a URI. Once a URI is known the only action the user can take to hide the contents of a photo album is to delete the album. This means if you ever have a breach, be it someone sitting in front of your computer, or getting your Facebook password, you must delete all your photo albums to keep the contents private. You can succumb to the fact that those photos are breached, and only place photos in new albums as well. Please note the following: 1) I don't care about the bounty, I would just like to see this fixed. 2) From initial disclosure to initial contact from Facebook took 13 days. Far longer than the same day fix for a previous issue I disclosed to Facebook. Recommended fix: 1) Provide the user a way to regenerate this URI with a link: "Expire this URI" 2) Provide (or force) it as an option when changing their password 3) When Facebook believes an account has been accessed by someone else (there's a dialog for this) provide (or force) an option to change this URI Emails from Facebook about this: --snip-- 10/09/12 Hi Joel, Ack - it appears the external response got dropped (we're investigating what happened there). Incredibly sorry about the delay. We're actively working on this now to confirm if this is intentional behavior. Thanks, Alex Security Facebook -------- --snip-- 10/10/12 Hey Joel, As you expected, the investigation here indeed revealed that this was "intentional" in the sense that it has always operated this way. The URIs generated by this feature were designed to be public and permanent. Our Photos team is currently collecting additional data on the usage of this feature to determine next steps as there are a few different options available. For your reference, we're tracking this as a security enhancement rather than a high-pri bug, which means we're likely looking at a resolution time of a several weeks. I'll keep you updated as the team reaches a decision on next steps. Thanks, Alex Security Facebook -------- --snip-- 10/29/12 Hi Joel, The Photos team has decided that an option to invalidate existing links is ideal experience here. An engineer will begin building out the functionality shortly. Will keep you updated as time estimates solidify. Thanks, Alex Security Facebook -------- --snip-- 06/14/2013 Hi, No that was separate, we have an engineer working on this fix but it is part of a larger rewrite so it is taking longer. Thanks, Emrakul Security Facebook --------
Powered by blists - more mailing lists