Full Disclosure mailing list archives
Re: Another minor facebook security flaw
From: Jacqui Caren-home <jacqui.caren () ntlworld com>
Date: Wed, 21 Sep 2011 09:51:43 +0100
On 20/09/2011 06:04, James Fife wrote:
I noticed a recent flaw in Facebooks security resolution process recently. After being asked to confirm my identity simply because I was using a different computer, I apparently took too long to identify my friends in their photos. However, I was able to try two more times before being locked out. In which case Facebook provided the exact same photos with the same selection of people to name in order to confirm my identity. What this means is that I could conceivably attempt to logon to a victims Facebook account from an unauthorized device to get such a prompt, and then take my time to research the answers.
I dont have the link but there is a really neat image search engine. You point it at an image (file->save image as?) and it will hunt down the URLs referencing similar images. Have seen it used to find sites using "stolen" images - not sure if it would work with fb image archives but worth a try. Could prolly automate the whole thing with 20 lines of perl :-) Jacqui _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Another minor facebook security flaw James Fife (Sep 20)
- Re: Another minor facebook security flaw Jacqui Caren-home (Sep 21)
- Re: Another minor facebook security flaw Dan Dart (Sep 21)
- Re: Another minor facebook security flaw adam (Sep 21)
- Re: Another minor facebook security flaw Dan Dart (Sep 21)
- Re: Another minor facebook security flaw Jacqui Caren-home (Sep 21)