[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)
From: Jann Horn <jann@xxxxxxxxx>
Date: Thu, 12 Dec 2013 20:07:49 +0100

On Wed, Dec 11, 2013 at 10:18:09PM +0100, Stefan Schurtz wrote:
> it is possible to load
> "https://www.facebook.com/login/reauth.php?next=https://www.facebook.com/confirmphone.php&display=popup";
> in another page.
[...]
> My question: is this really not a security problem on Facebook?

It's say it is a problem, especially given that drag/drop isn't blocked on that
page. Did you report this to Facebook yet?

Attachment: signature.asc
Description: Digital signature

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)
  - From: Stefan Schurtz

References:
- [Full-disclosure] Clickjacking (?) on Facebook.com (Question)
  - From: Stefan Schurtz

Prev by Date: [Full-disclosure] Phone Drive Eightythree 4.1.1 iOS - Multiple Vulnerabilities
Next by Date: Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)
Previous by thread: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)
Next by thread: Re: [Full-disclosure] Clickjacking (?) on Facebook.com (Question)
Index(es):
- Date
- Thread