| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <4EAB5A64.7030009@oneechan.org> Date: Fri, 28 Oct 2011 20:44:04 -0500 From: Laurelai <laurelai@...echan.org> To: full-disclosure@...ts.grok.org.uk Subject: Re: Facebook Attach EXE Vulnerability On 10/28/2011 6:17 PM, Ulises2k wrote: > You know this? ;) > https://www.facebook.com/whitehat/bounty/ > > > > On Fri, Oct 28, 2011 at 17:49, Nathan Power<np@...uritypentest.com> wrote: >> I would also like to note this vulnerability was reported responsibly in regards to full disclosure. >> http://en.wikipedia.org/wiki/Full_disclosure >> >> Nathan Power >> www.securitypentest.com >> On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power<np@...uritypentest.com> wrote: >>> I was basically told that Facebook didn't see it as an issue and I was puzzled by that. Ends up the Facebook security team had issues reproducing my work and that's why they initially disgarded it. After publishing, the Facebook security team re-examined the issue and by working with me they seem to have been able to reproduce the bug. >>> >>> Nathan Power >>> www.securitypentest.com >>> >>> >>> On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes<pablo@...en.es> wrote: >>>> Not fixed yet. At least not yesterday when I checked. >>>> Nathan, didn't Facebook ask for some time to fix this bug after they have acknowledged it? >>>> >>>> Pablo Ximenes >>>> http://ximen.es/ >>>> http://twitter.com/pabloximenes >>>> Em 27/10/2011, às 19:29, Joshua Thomas<rappercrazzy@...il.com> escreveu: >>>> >>>> can't believe such was on FB .... wahahaha !!! lol ....rofl ... >>>> >>>> When was this discovered and fixed ? >>>> >>>> >>>> On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power<np@...uritypentest.com> wrote: >>>>> --------------------------------------------------------------------------------- >>>>> 1. Summary: >>>>> When using the Facebook 'Messages' tab, there is a feature to attach a file. >>>>> Using this feature normally, the site won't allow a user to attach an executable file. >>>>> A bug was discovered to subvert this security mechanisms. Note, you do NOT have >>>>> to be friends with the user to send them a message with an attachment. >>>>> --------------------------------------------------------------------------------- >>>>> Read the rest of this advisory here: >>>>> http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html >>>>> >>>>> Enjoy :) >>>>> >>>>> Nathan Power >>>>> www.securitypentest.com >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Facebook has a habit of ignoring issues _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists