[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Full-disclosure] Another minor facebook security flaw
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: Re: [Full-disclosure] Another minor facebook security flaw
- From: Jacqui Caren-home <jacqui.caren@xxxxxxxxxxxx>
- Date: Wed, 21 Sep 2011 09:51:43 +0100
On 20/09/2011 06:04, James Fife wrote:
> I noticed a recent flaw in Facebooks security resolution process recently.
> After being asked to confirm my identity simply because I was using a
> different computer, I apparently took too long to
> identify my friends in their photos. However, I was able to try two more
> times before being locked out. In which case Facebook provided the exact same
> photos with the same selection of people to name
> in order to confirm my identity. What this means is that I could conceivably
> attempt to logon to a victims Facebook account from an unauthorized device to
> get such a prompt, and then take my time to
> research the answers.
I dont have the link but there is a really neat image search engine. You point
it at an
image (file->save image as?) and it will hunt down the URLs referencing similar
images.
Have seen it used to find sites using "stolen" images - not sure if it would
work
with fb image archives but worth a try.
Could prolly automate the whole thing with 20 lines of perl :-)
Jacqui
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/