lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <6937a7ed-4639-28b8-a1f6-bbe85b8cf1b3@vulnerability-lab.com>
Date: Thu, 4 Oct 2018 14:45:54 +0200
From: Vulnerability Lab <research@...nerability-lab.com>
To: fulldisclosure@...lists.org
Subject: [FD] Facebook Platform Hack - Critical Access Token Vulnerabilities

Information: The vulnerability about the access token issue was already
reported in december 2017 and january 2018 to the facebook security
team. in the ticket communication all three researchers disclosing the
issue was denied to receive a reward because the whitehat team of
facebook did not see the entire risks and combined problematics. Our
researchers tried to report the issues several way to protect the public
people but after the tickets was slammed down without good arguments, we
silently waited until the situation pops up again. We recorded videos of
the zero-day issues in several app auth services and noticed serveral
times the problematic without coming with facebook to a point were a
solution is issued. Finally there was only one way to deal with it and
this is the way on how we did it.

Responsible for the disclosure of the vulnerabilities are Lawrence Amer
of team vulnerability labs, S******* P**** and Nirmal Thape. Responsible
for reportings to facebook and the followup communication was Lawrence
Amer and Benjamin Kunz Mejri.

Title: Facebook Inc via Instagram Business - Remote Access Token
Vulnerability (Original Facebook Video)
URL: https://www.youtube.com/watch?v=4Obsd1Qw7uU

Title: Facebook Access Token Vulnerability - Retrieve Data via Instagram
Business
URL: https://www.youtube.com/watch?v=tdLKRky1Da4

Author: Lawrence Amer
https://www.vulnerability-lab.com/show.php?user=Lawrence%20Amer

The issue had several vectors and was exploitable using different
functions like view as, preview and other facebook functions.

Note: The access tokens are already invalidated or refreshed which does
not allow attackers to get back access again. Today facebook replied is
evaluating to pay the mentioned researchers for the findings. We send
some friendly greetings back to facebook and as well to the us
supervisory authority watching the case issue.

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ