[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Facebook critical design flaw

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Facebook critical design flaw
From: jjshoe@xxxxxxxxx
Date: Wed, 19 Jun 2013 14:45:38 GMT

On or around September 27, 2012 I disclosed to Facebook through 
https://www.facebook.com/whitehat/report/ a critical design flaw in how users 
share photos using a URI. Once a URI is known the only action the user can take 
to hide the contents of a photo album is to delete the album. This means if you 
ever have a breach, be it someone sitting in front of your computer, or getting 
your Facebook password, you must delete all your photo albums to keep the 
contents private. You can succumb to the fact that those photos are breached, 
and only place photos in new albums as well.

Please note the following:
1) I don't care about the bounty, I would just like to see this fixed. 
2) From initial disclosure to initial contact from Facebook took 13 days. Far 
longer than the same day fix for a previous issue I disclosed to Facebook.

Recommended fix: 

1) Provide the user a way to regenerate this URI with a link: "Expire this URI"
2) Provide (or force) it as an option when changing their password
3) When Facebook believes an account has been accessed by someone else (there's 
a dialog for this) provide (or force) an option to change this URI

Emails from Facebook about this:

--snip--
10/09/12

Hi Joel,

Ack - it appears the external response got dropped (we're investigating what 
happened there). Incredibly sorry about the delay. We're actively working on 
this now to confirm if this is intentional behavior.

Thanks,

Alex
Security
Facebook

--------

--snip--
10/10/12

Hey Joel,

As you expected, the investigation here indeed revealed that this was 
"intentional" in the sense that it has always operated this way. The URIs 
generated by this feature were designed to be public and permanent. Our Photos 
team is currently collecting additional data on the usage of this feature to 
determine next steps as there are a few different options available. For your 
reference, we're tracking this as a security enhancement rather than a high-pri 
bug, which means we're likely looking at a resolution time of a several weeks. 
I'll keep you updated as the team reaches a decision on next steps.

Thanks,

Alex
Security
Facebook
--------

--snip-- 
10/29/12

Hi Joel,

The Photos team has decided that an option to invalidate existing links is 
ideal experience here. An engineer will begin building out the functionality 
shortly. Will keep you updated as time estimates solidify.

Thanks,

Alex
Security
Facebook

--------

--snip--
06/14/2013

Hi,

No that was separate, we have an engineer working on this fix but it is part of 
a larger rewrite so it is taking longer.

Thanks,

Emrakul
Security
Facebook
--------

Prev by Date: Remote code execution in Puppet
Next by Date: Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence TC and TE Software
Previous by thread: Remote code execution in Puppet
Next by thread: Cisco Security Advisory: Multiple Vulnerabilities in Cisco TelePresence TC and TE Software
Index(es):
- Date
- Thread