lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <509D3389.6060903@calciumsec.com>
Date: Fri, 09 Nov 2012 13:47:05 -0300
From: "Chris C. Russo" <chris@...ciumsec.com>
To: Bacon Zombie <baconzombie@...il.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: A damn aweful facebook DOS

Mr BaconZombie, first of all, greetings, it's an amazing rainy friday in
Buenos Aires.

Your signature is awesome as well, and makes it really hard to respond,
and read, I like it.

You are sending the long string as status update, *you have to send it
as a message in the chat,
the addressee user will eventually be disconnected. *

Since there's no limit in the amount of characters that you can send in
a message and the application will push as much as you send,
the user browser pulling the information will get a huge amount of data
in no time,
crashing in diverse ways.

 I hope you have fun, and a great weekend;
 Sincerely yours; Chris C. Russo

-- Success, *forward, quick.* Chris C. Russo
Más de 100,000 Km recorridos, conservo direcciones, presiono con
ambición, avanzo con delicadeza,
flexibilizo para alcanzar, creo escenarios, cambio realidades.

w: www.calciumsec.com
e: chris@...ciumsec.com




On 09/11/2012 01:41 p.m., Bacon Zombie wrote:
> There seem to be a hard limit via the main website interface but I
> have not check modifying the post or using another means { raw, API,
> Facebook App, etc}.
>
> "Status updates must be less than 63,206 characters. You have entered
> 73,979 characters here. Notes can be much longer. Would you like to
> edit and post your update as a Note instead?"
>
> Regards,
>
> --
> ฤ๊๊๊๊๊็็็็็๊๊๊๊๊็็็็
> ฮ้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้
> ฦ้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้
>
> BaconZombie
>
> LOAD "*",8,1
>
> On 9 November 2012 15:31, Chris C. Russo <chris@...ciumsec.com> wrote:
>> On 09/11/2012 11:29 a.m., Bill Weiss wrote:
>>> Chris C. Russo(chris@...ciumsec.com)@Thu, Nov 08, 2012 at 04:28:33AM -0300:
>>>> Good news everyone!
>>>>
>>>> The last time I reported a security flaw to facebook, it took around 6
>>>> weeks until they replied,
>>>> telling me that there was no flaw at all. Perhaps that's why I decided
>>>> to make public any flaw on facebook from now on.
>>> [cut some technical details for readability]
>>>> (Properly replace the <EXTREMLY LONG MESSAGE HERE> before testing)
>>>>
>>>> This might not be the best vulnerability description ever,
>>>> but I hope it helps solving the condition as soon as possible. Have fun.
>>> What length of EXTREMELY LONG MESSAGE were you using in testing?  1K
>>> bytes, 1M, 1G?
>>>
>> I couldn't tell, I started up with 1,000 chars and increased 1,000 by
>> 1,000 until 100,000 with parallel connections. But certainly, even if
>> you only full the text input using the regular UI from facebook, you'll
>> crash any regular box, or tablet.
>> Perhaps you should try with 1 Gb tho and see what happens, there's test
>> users you can create from the facebook.com/whitehat.
>>
>> --
>> Success, *forward, quick.* Chris C. Russo
>>
>> Más de 100,000 Km recorridos, conservo direcciones, presiono con
>> ambición, avanzo con delicadeza, flexibilizo para alcanzar, creo
>> escenarios, cambio realidades.
>>
>> w: www.calciumsec.com
>> e: chris@...ciumsec.com
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>


-- 
Success, *forward, quick.* Chris C. Russo

Más de 100,000 Km recorridos, conservo direcciones, presiono con
ambición, avanzo con delicadeza, flexibilizo para alcanzar, creo
escenarios, cambio realidades.

w: www.calciumsec.com
e: chris@...ciumsec.com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ