[<prev] [next>] [day] [month] [year] [list]
Message-ID: <CAE5Wca2YSPOYZA+pEetLBCjJLTMYrGQZLLZO1_fmFaS3JmC=wA@mail.gmail.com>
Date: Wed, 20 Jan 2016 11:24:02 -0200
From: Ricardo Iramar dos Santos <riramar@...il.com>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Subject: [FD] mobile.facebook.com is not on HSTS preload list or sending the
Strict-Transport-Security header
Hi All,
I've noticed that mobile.facebook.com domain is not on HSTS preload
list or sending the Strict-Transport-Security header. All the others
domains like m.facebook.com is using HSTS properly.
I reported this to Facebook on 12/3/15 through the whitehat program
and got the answer below. I've checked again today and it still not
using HSTS. Not sure why Facebook is not protecting this domain with
HSTS.
Hi Ricardo,
Thank you for sharing this information with us. Although this issue
does not qualify as a part of our bounty program we appreciate your
report. We will follow up with you on any security bugs or with any
further questions we may have.
Thanks,
Angelo
Security
Facebook
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists