[Full-disclosure] Another minor facebook security flaw

[James Fife <theriverfife@xxxxxxxxx>]

I noticed a recent flaw in Facebooks security resolution process recently. 
After being asked to confirm my identity simply because I was using a different 
computer, I apparently took too long to identify my friends in their photos. 
However, I was able to try two more times before being locked out. In which 
case Facebook provided the exact same photos with the same selection of people 
to name in order to confirm my identity. What this means is that I could 
conceivably attempt to logon to a victims Facebook account from an unauthorized 
device to get such a prompt, and then take my time to research the 
answers.Twenty minutes was the approximate time before my session expired, 
which gives roughly one hour to come up with the answers. This may not seem 
terribly difficult given the proclivity with which people tag their friends or 
publish photos on blogs. It would be even easier if the victim and attacker had 
a mutual friend in common on Facebook, as they
 would likely be able to see a lot more photos. In fact, perhaps even searching 
each name in Facebook could show the face, which would allow for the questions 
to be answered correctly.This isn’t a minor flaw in any sense of the word, 
however it does seem quite possibly that the process as it is now implemented 
could be abused in conjunction with other vulnerabilities to gain access to 
someone’s account. I hope that at the least this will foster some interesting 
discussion on why what I have described is a non issue, or result in a fix.
Taken from : 
http://allthatiswrong.wordpress.com/2011/09/19/another-minor-facebook-security-issue/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/