Re: Facebook Image Privacy

[Dan Kaminsky <dan () doxpara com>]

On Sun, Jan 17, 2010 at 8:16 PM, Imri Goldberg <lorgandon () gmail com> wrote:

> On Sun, Jan 17, 2010 at 9:08 PM, Dan Kaminsky <dan () doxpara com> wrote:
>
> > And a computer that isn't at the bottom of the Mariana Trench ain't
> > secure.
> >
> > Unguessable tokens have a long history of use in our field (CSRF tokens,
> > etc) and having one lock access to an image is relatively legitimate.  If
> > there was a way to guess the token, we'd say there was an issue.
>
> I think the difference is how long you expect that token to be kept. The
> link given, afaict, is a permanent one, unlike csrf tokens or various change
> password tokens.
It's a password to a single asset, which is retrieved in its entirety.  If
you allow "omg, somebody could share the link" to be considered a security
hole, then I can see the stories now...

"OMG!  Save Picture!"
"OMG!  Print Screen!"
"OMG!  SOMEBODY COULD TAKE A PHOTO OF THEIR SCREEN!"

:)

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.