| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 4 Oct 2018 14:45:54 +0200 From: Vulnerability Lab <research@...nerability-lab.com> To: fulldisclosure@...lists.org Subject: [FD] Facebook Platform Hack - Critical Access Token Vulnerabilities Information: The vulnerability about the access token issue was already reported in december 2017 and january 2018 to the facebook security team. in the ticket communication all three researchers disclosing the issue was denied to receive a reward because the whitehat team of facebook did not see the entire risks and combined problematics. Our researchers tried to report the issues several way to protect the public people but after the tickets was slammed down without good arguments, we silently waited until the situation pops up again. We recorded videos of the zero-day issues in several app auth services and noticed serveral times the problematic without coming with facebook to a point were a solution is issued. Finally there was only one way to deal with it and this is the way on how we did it. Responsible for the disclosure of the vulnerabilities are Lawrence Amer of team vulnerability labs, S******* P**** and Nirmal Thape. Responsible for reportings to facebook and the followup communication was Lawrence Amer and Benjamin Kunz Mejri. Title: Facebook Inc via Instagram Business - Remote Access Token Vulnerability (Original Facebook Video) URL: https://www.youtube.com/watch?v=4Obsd1Qw7uU Title: Facebook Access Token Vulnerability - Retrieve Data via Instagram Business URL: https://www.youtube.com/watch?v=tdLKRky1Da4 Author: Lawrence Amer https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer The issue had several vectors and was exploitable using different functions like view as, preview and other facebook functions. Note: The access tokens are already invalidated or refreshed which does not allow attackers to get back access again. Today facebook replied is evaluating to pay the mentioned researchers for the findings. We send some friendly greetings back to facebook and as well to the us supervisory authority watching the case issue. -- VULNERABILITY LABORATORY - RESEARCH TEAM SERVICE: www.vulnerability-lab.com _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists