funsec mailing list archives

Re: Facebook Image Privacy

From: Imri Goldberg <lorgandon () gmail com>
Date: Sun, 17 Jan 2010 21:16:58 +0200

On Sun, Jan 17, 2010 at 9:08 PM, Dan Kaminsky <dan () doxpara com> wrote:

And a computer that isn't at the bottom of the Mariana Trench ain't secure.

Unguessable tokens have a long history of use in our field (CSRF tokens,
etc) and having one lock access to an image is relatively legitimate.  If
there was a way to guess the token, we'd say there was an issue.


I think the difference is how long you expect that token to be kept. The
link given, afaict, is a permanent one, unlike csrf tokens or various change
password tokens.

Cheers,
Imri


-- 
Imri Goldberg
--------------------------------------
http://plnnr.com/ - automatic trip planning
http://www.algorithm.co.il/blogs/
--------------------------------------
-- insert signature here ----

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.

Current thread:

Facebook Image Privacy Larry Seltzer (Jan 17)
- Re: Facebook Image Privacy Vincent Hoffman (Jan 17)
- Re: Facebook Image Privacy Imri Goldberg (Jan 17)
  - Re: Facebook Image Privacy Dan Kaminsky (Jan 17)
    - Re: Facebook Image Privacy Imri Goldberg (Jan 17)
    - Re: Facebook Image Privacy Dan Kaminsky (Jan 17)
    - Re: Facebook Image Privacy Larry Seltzer (Jan 17)
    - Re: Facebook Image Privacy Dan Kaminsky (Jan 17)
    - Re: Facebook Image Privacy Vaughn, Randal L. (Jan 17)
    - Re: Facebook Image Privacy Alex Eckelberry (Jan 17)
    - Re: Facebook Image Privacy Blue Boar (Jan 18)
    - Re: Facebook Image Privacy Dan Kaminsky (Jan 18)
    - Re: Facebook Image Privacy Blue Boar (Jan 18)
    - Re: Facebook Image Privacy Dan Kaminsky (Jan 18)
    - Re: Facebook Image Privacy Blue Boar (Jan 18)

(Thread continues...)