lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <201306191445.r5JEjcOs030499@sf01web2.securityfocus.com>
Date: Wed, 19 Jun 2013 14:45:38 GMT
From: jjshoe@...il.com
To: bugtraq@...urityfocus.com
Subject: Facebook critical design flaw

On or around September 27, 2012 I disclosed to Facebook through https://www.facebook.com/whitehat/report/ a critical design flaw in how users share photos using a URI. Once a URI is known the only action the user can take to hide the contents of a photo album is to delete the album. This means if you ever have a breach, be it someone sitting in front of your computer, or getting your Facebook password, you must delete all your photo albums to keep the contents private. You can succumb to the fact that those photos are breached, and only place photos in new albums as well.

Please note the following:
1) I don't care about the bounty, I would just like to see this fixed. 
2) From initial disclosure to initial contact from Facebook took 13 days. Far longer than the same day fix for a previous issue I disclosed to Facebook.

Recommended fix: 

1) Provide the user a way to regenerate this URI with a link: "Expire this URI"
2) Provide (or force) it as an option when changing their password
3) When Facebook believes an account has been accessed by someone else (there's a dialog for this) provide (or force) an option to change this URI

Emails from Facebook about this:

--snip--
10/09/12

Hi Joel,

Ack - it appears the external response got dropped (we're investigating what happened there). Incredibly sorry about the delay. We're actively working on this now to confirm if this is intentional behavior.

Thanks,

Alex
Security
Facebook

--------

--snip--
10/10/12

Hey Joel,

As you expected, the investigation here indeed revealed that this was "intentional" in the sense that it has always operated this way. The URIs generated by this feature were designed to be public and permanent. Our Photos team is currently collecting additional data on the usage of this feature to determine next steps as there are a few different options available. For your reference, we're tracking this as a security enhancement rather than a high-pri bug, which means we're likely looking at a resolution time of a several weeks. I'll keep you updated as the team reaches a decision on next steps.

Thanks,

Alex
Security
Facebook
--------

--snip-- 
10/29/12

Hi Joel,

The Photos team has decided that an option to invalidate existing links is ideal experience here. An engineer will begin building out the functionality shortly. Will keep you updated as time estimates solidify.

Thanks,

Alex
Security
Facebook

--------

--snip--
06/14/2013

Hi,

No that was separate, we have an engineer working on this fix but it is part of a larger rewrite so it is taking longer.

Thanks,

Emrakul
Security
Facebook
--------

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ