| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 28 Oct 2011 20:17:41 -0300 From: Ulises2k <ulises2k@...il.com> To: Nathan Power <np@...uritypentest.com> Cc: Full Disclosure <full-disclosure@...ts.grok.org.uk> Subject: Re: Facebook Attach EXE Vulnerability You know this? ;) https://www.facebook.com/whitehat/bounty/ On Fri, Oct 28, 2011 at 17:49, Nathan Power <np@...uritypentest.com> wrote: > > I would also like to note this vulnerability was reported responsibly in regards to full disclosure. > http://en.wikipedia.org/wiki/Full_disclosure > > Nathan Power > www.securitypentest.com > On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power <np@...uritypentest.com> wrote: >> >> I was basically told that Facebook didn't see it as an issue and I was puzzled by that. Ends up the Facebook security team had issues reproducing my work and that's why they initially disgarded it. After publishing, the Facebook security team re-examined the issue and by working with me they seem to have been able to reproduce the bug. >> >> Nathan Power >> www.securitypentest.com >> >> >> On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes <pablo@...en.es> wrote: >>> >>> Not fixed yet. At least not yesterday when I checked. >>> Nathan, didn't Facebook ask for some time to fix this bug after they have acknowledged it? >>> >>> Pablo Ximenes >>> http://ximen.es/ >>> http://twitter.com/pabloximenes >>> Em 27/10/2011, às 19:29, Joshua Thomas <rappercrazzy@...il.com> escreveu: >>> >>> can't believe such was on FB .... wahahaha !!! lol ....rofl ... >>> >>> When was this discovered and fixed ? >>> >>> >>> On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power <np@...uritypentest.com> wrote: >>>> >>>> --------------------------------------------------------------------------------- >>>> 1. Summary: >>>> When using the Facebook 'Messages' tab, there is a feature to attach a file. >>>> Using this feature normally, the site won't allow a user to attach an executable file. >>>> A bug was discovered to subvert this security mechanisms. Note, you do NOT have >>>> to be friends with the user to send them a message with an attachment. >>>> --------------------------------------------------------------------------------- >>>> Read the rest of this advisory here: >>>> http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html >>>> >>>> Enjoy :) >>>> >>>> Nathan Power >>>> www.securitypentest.com >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists