Full Disclosure mailing list archives
Re: Facebook Attach EXE Vulnerability
From: "Mikhail A. Utin" <mutin () commonwealthcare org>
Date: Tue, 1 Nov 2011 09:03:17 -0400
Face Book is trying to save its face. It's typical. I got the same answer from SonicWALL one year ago when discovered that simple internal network scanning (Nessus, Nmap, etc.) brings down entire network. The firewall internal TCP connections stack was overloaded within a few seconds (IPS is not enabled, thus was not accepting new connections. Mikhail A. Utin, CISSP Information Security Analyst -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of full-disclosure-request () lists grok org uk Sent: Tuesday, November 01, 2011 8:00 AM To: full-disclosure () lists grok org uk Subject: Full-Disclosure Digest, Vol 81, Issue 1 Send Full-Disclosure mailing list submissions to full-disclosure () lists grok org uk To subscribe or unsubscribe via the World Wide Web, visit https://lists.grok.org.uk/mailman/listinfo/full-disclosure or, via email, send a message with subject or body 'help' to full-disclosure-request () lists grok org uk You can reach the person managing the list at full-disclosure-owner () lists grok org uk When replying, please edit your Subject line so it is more specific than "Re: Contents of Full-Disclosure digest..." Note to digest recipients - when replying to digest posts, please trim your post appropriately. Thank you. Today's Topics: 1. Re: Facebook Attach EXE Vulnerability (Charles Morris) Message: 1 Date: Mon, 31 Oct 2011 10:40:24 -0400 From: Charles Morris <cmorris () cs odu edu> Subject: Re: [Full-disclosure] Facebook Attach EXE Vulnerability To: Nathan Power <np () securitypentest com> Cc: Full Disclosure <full-disclosure () lists grok org uk> Message-ID: <CABgawuYGTu1=eG2NEsD9g_n_aaPWE1myQzrZNc0TDZ5sqsb2VQ () mail gmail com> Content-Type: text/plain; charset=ISO-8859-1 Nathan, It IS an issue, don't let their foolishness harsh your mellow. Although it's a completely ridiculous, backwards, and standards-relaxing "security" mechanism, the fact is they implemented it, and you subverted it. In my book that's Pentester 1 :: Fail Vendor 0 I've had large vendors (read:Microsoft) reply to issues with the same kind of garbage, where they take a situation where there wasn't a threat, create a "security" mechanism to counter the nonexistent threat, then implement it incorrectly, thus creating either a vulnerability in the system itself or a false sense of security for the user. Fail: "Hello user, you can add attachments now! Look at our amazing 1997 web technology!!" User: "Oh neat, I can't wait to send my friend this random file (read: give up your rights and control of your random file to facebook) your through your excessive, unnecessary, inefficient, insecure, closed-source tool" Fail: "I am blocking exe attachments 'for your security' so feel free to just run attachments without a second thought, don't even bother to waste 100ns of your time to practice normal security" User: "Wait, what about .bat, .cmd, .vbs, .ws, .pif, .inx, .lnk etc etc? What about the extensions that I set up? Can I really just spam clicks all over the place?" Fail: "Oh those, well you shouldn't be clicking those. What, we can't be held responsible if you don't practice normal security!! P.S. You know when we said we were blocking .exe files? Well--- we aren't. Enjoy." </rant> On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power <np () securitypentest com> wrote:
I was?basically?told that Facebook didn't see it as an issue and I was puzzled by that. Ends up the Facebook security team had issues reproducing my work and?that's?why they?initially?disgarded it. After publishing, the Facebook security team re-examined the issue and by working with me they seem to have been able to reproduce the bug.
********************************* CONFIDENTIALITY NOTICE: This email communication and any attachments may contain confidential and privileged information for the use of the designated recipients named above. If you are not the intended recipient, you are hereby notified that you have received this communication in error and that any review, disclosure, dissemination, distribution or copying of it or its contents is prohibited. If you have received this communication in error, please reply to the sender immediately or by telephone at (617) 426-0600 and destroy all copies of this communication and any attachments. For further information regarding Commonwealth Care Alliance's privacy policy, please visit our Internet web site at http://www.commonwealthcare.org. _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Facebook Attach EXE Vulnerability mutiny (Nov 01)
- Re: Facebook Attach EXE Vulnerability Ferenc Kovacs (Nov 01)
- Re: Facebook Attach EXE Vulnerability Valdis . Kletnieks (Nov 01)
- Re: Facebook Attach EXE Vulnerability xD 0x41 (Nov 01)
- Message not available
- Re: Facebook Attach EXE Vulnerability xD 0x41 (Nov 01)
- Re: Facebook Attach EXE Vulnerability Valdis . Kletnieks (Nov 01)
- Re: Facebook Attach EXE Vulnerability Ferenc Kovacs (Nov 01)
- <Possible follow-ups>
- Re: Facebook Attach EXE Vulnerability Mikhail A. Utin (Nov 01)
- Re: Facebook Attach EXE Vulnerability Peter Dawson (Nov 01)
- Re: Facebook Attach EXE Vulnerability xD 0x41 (Nov 01)
- Re: Facebook Attach EXE Vulnerability Peter Dawson (Nov 01)