funsec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Facebook Image Privacy

From: Imri Goldberg <lorgandon () gmail com>
Date: Sun, 17 Jan 2010 22:26:58 +0200
On Sun, Jan 17, 2010 at 9:38 PM, Dan Kaminsky <dan () doxpara com> wrote:


It's a password to a single asset, which is retrieved in its entirety.  If
you allow "omg, somebody could share the link" to be considered a security
hole, then I can see the stories now...

"OMG!  Save Picture!"
"OMG!  Print Screen!"
"OMG!  SOMEBODY COULD TAKE A PHOTO OF THEIR SCREEN!"

:)



This discussion got my interest piqued, so I did a small test.
Picture id's are sequential, and person-id's are already known. The secret
in this case is the l query parameter, which seems to be a 5 byte value. Two
sequential pictures don't get the same secret. The album also has a
different secret.

It seems you're right :)

Cheers,
Imri

(One minor point though: you can't change the secret as you would a regular
password, except by recreating an album, afaict).

-- 
Imri Goldberg
--------------------------------------
http://plnnr.com/ - automatic trip planning
http://www.algorithm.co.il/blogs/
--------------------------------------
-- insert signature here ----

_______________________________________________
Fun and Misc security discussion for OT posts.
https://linuxbox.org/cgi-bin/mailman/listinfo/funsec
Note: funsec is a public and open mailing list.
Previous By Date Next
Previous By Thread Next

Current thread: