Re: [Full-disclosure] Another minor facebook security flaw
- From: Jacqui Caren-home <jacqui.caren@xxxxxxxxxxxx>
- Date: Wed, 21 Sep 2011 09:51:43 +0100
On 20/09/2011 06:04, James Fife wrote:
I noticed a recent flaw in Facebooks security resolution process recently. After being asked to confirm my identity simply because I was using a different computer, I apparently took too long to
identify my friends in their photos. However, I was able to try two more times before being locked out. In which case Facebook provided the exact same photos with the same selection of people to name
in order to confirm my identity. What this means is that I could conceivably attempt to logon to a victims Facebook account from an unauthorized device to get such a prompt, and then take my time to
research the answers.
I dont have the link but there is a really neat image search engine. You point it at an
image (file->save image as?) and it will hunt down the URLs referencing similar images.
Have seen it used to find sites using "stolen" images - not sure if it would work
with fb image archives but worth a try.
Could prolly automate the whole thing with 20 lines of perl :-)
Jacqui
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
- Follow-Ups:
- Re: [Full-disclosure] Another minor facebook security flaw
- From: Dan Dart
- Re: [Full-disclosure] Another minor facebook security flaw
- References:
- [Full-disclosure] Another minor facebook security flaw
- From: James Fife
- [Full-disclosure] Another minor facebook security flaw
- Prev by Date: [Full-disclosure] U.S. Geological Survey Website - SQL Injection Vulnerability
- Next by Date: Re: [Full-disclosure] Another minor facebook security flaw
- Previous by thread: [Full-disclosure] Another minor facebook security flaw
- Next by thread: Re: [Full-disclosure] Another minor facebook security flaw
- Index(es):
Relevant Pages
|
