funsec mailing list archives
Re: Facebook Image Privacy
From: Imri Goldberg <lorgandon () gmail com>
Date: Sun, 17 Jan 2010 22:26:58 +0200
On Sun, Jan 17, 2010 at 9:38 PM, Dan Kaminsky <dan () doxpara com> wrote:
It's a password to a single asset, which is retrieved in its entirety. If you allow "omg, somebody could share the link" to be considered a security hole, then I can see the stories now... "OMG! Save Picture!" "OMG! Print Screen!" "OMG! SOMEBODY COULD TAKE A PHOTO OF THEIR SCREEN!" :)
This discussion got my interest piqued, so I did a small test. Picture id's are sequential, and person-id's are already known. The secret in this case is the l query parameter, which seems to be a 5 byte value. Two sequential pictures don't get the same secret. The album also has a different secret. It seems you're right :) Cheers, Imri (One minor point though: you can't change the secret as you would a regular password, except by recreating an album, afaict). -- Imri Goldberg -------------------------------------- http://plnnr.com/ - automatic trip planning http://www.algorithm.co.il/blogs/ -------------------------------------- -- insert signature here ----
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
Current thread:
- Re: Facebook Image Privacy, (continued)
- Re: Facebook Image Privacy Dan Kaminsky (Jan 18)
- Re: Facebook Image Privacy Blue Boar (Jan 18)
- Re: Facebook Image Privacy Dan Kaminsky (Jan 18)
- Re: Facebook Image Privacy Blue Boar (Jan 18)
- Re: Facebook Image Privacy Dan Kaminsky (Jan 18)
- Re: Facebook Image Privacy Blue Boar (Jan 18)
- Re: Facebook Image Privacy Larry Seltzer (Jan 18)
- Re: Facebook Image Privacy Valdis . Kletnieks (Jan 19)
- Re: Facebook Image Privacy Dan Kaminsky (Jan 19)
- Re: Facebook Image Privacy der Mouse (Jan 18)
- Re: Facebook Image Privacy Imri Goldberg (Jan 17)