| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed, 21 Sep 2011 09:51:43 +0100 From: Jacqui Caren-home <jacqui.caren@...world.com> To: full-disclosure@...ts.grok.org.uk Subject: Re: Another minor facebook security flaw On 20/09/2011 06:04, James Fife wrote: > I noticed a recent flaw in Facebooks security resolution process recently. After being asked to confirm my identity simply because I was using a different computer, I apparently took too long to > identify my friends in their photos. However, I was able to try two more times before being locked out. In which case Facebook provided the exact same photos with the same selection of people to name > in order to confirm my identity. What this means is that I could conceivably attempt to logon to a victims Facebook account from an unauthorized device to get such a prompt, and then take my time to > research the answers. I dont have the link but there is a really neat image search engine. You point it at an image (file->save image as?) and it will hunt down the URLs referencing similar images. Have seen it used to find sites using "stolen" images - not sure if it would work with fb image archives but worth a try. Could prolly automate the whole thing with 20 lines of perl :-) Jacqui _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists