[Owasp-ireland] A new Facebook flaw

Sam Johnston samj at samj.net
Thu Mar 12 18:27:23 EDT 2009


A while back a subordinate commented on my summer vacation, which was
perplexing given that I had specifically created an album on Facebook and
shared it with a select group of friends and family *before* uploading
photos soley so that these would be kept private.

It took me a while to work it out, but the Facebook Exporter for iPhoto (and
possibly other applications using the same APIs) was resetting the ACLs on
the album when uploading to it.

At the time I was pissed, but also too busy to write about it or indeed even
report it. I soon enough deleted all my albums though and haven't uploaded
anything even moderately interesting since. I recommend others do the same.

Sam

On Thu, Mar 12, 2009 at 11:09 PM, Liam O Murchu
<liam_omurchu at symantec.com>wrote:

> Including the link would be helpful:
>
> http://www.lightbluetouchpaper.org/2009/02/11/new-facebook-photo-hacks/
>
> -----Original Message-----
> From: owasp-ireland-bounces at lists.owasp.org [mailto:
> owasp-ireland-bounces at lists.owasp.org] On Behalf Of Liam O Murchu
> Sent: Thursday, March 12, 2009 3:00 PM
> To: owasp-ireland
> Subject: Re: [Owasp-ireland] A new Facebook flaw
>
> Hi there,
>        Here's another article talking about accessing face book photo
> albums too although using a different technique from the one you show below
> Dave.
> Liam.
>
>
> Liam O Murchu
> Sr. Software Engineer
> Security Response
> Symantec Corporation
> www.symantec.com
>
>
> Office: (424) 750-7851
> Mobile: (310) 227-0829
> liam_omurchu at symantec.com
>
>
>
>
> -----Original Message-----
> From: owasp-ireland-bounces at lists.owasp.org [mailto:
> owasp-ireland-bounces at lists.owasp.org] On Behalf Of davidrook
> Sent: Thursday, March 12, 2009 1:52 AM
> To: owasp-ireland
> Subject: [Owasp-ireland] A new Facebook flaw
>
> Hi everyone
>
> I just wanted to share some information with you all. I was doing some
> research for a presentation last week and I came across a flaw in
> Facebook, in short it allows you to access any users photo albums
> without being a friend, being given the public link directly, being in a
> group with them, being logged in etc etc
>
> The full details can be found here: http://securityninja.co.uk/blog/?p=198
>
> Dave
>
> --
> David Rook
> Security Analyst
> Realex Payments
> Enabling thousands of businesses to sell online.
>
> Realex Payments Dublin:
> Castlecourt, Monkstown Farm, Monkstown, Co Dublin. Ireland
> t: +353 (0)1 2808559 | f: +353 (0)1 2808538  | www.realexpayments.com
>
> Realex Payments London:
> 1 Lyric Square, Hammersmith, London W6 0NB, United Kingdom.
> t: +44 (0)20 3178 5370 | f: +44 (0)20 7691 7264  |
> www.realexpayments.co.uk
>
> Realex Payments Paris:
> 27 avenue de l'Opéra, 75001 Paris. France.
> t: +33 (0)1 70 38 51 37  | f: +33 (0)1 70 38 51 51
>
> Visit our other Realex Payments websites:
> www.airlinepayments.com
> www.sepa.ie
>
> Pay and Shop Limited, trading as Realex Payments has its registered office
> at Castlecourt, Monkstown Farm, Monkstown, Co. Dublin, Ireland and is
> registered in Ireland, company number 324929.
> This mail and any documents attached are classified as confidential and are
> intended for use by the addressee(s) only unless otherwise indicated. If you
> are not an intended recipient of this email, you must not use, disclose,
> copy, distribute or retain this message or any part of it. If you have
> received this email in error, please notify us immediately and delete all
> copies of this email from your computer system(s).
>
>
>
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-ireland/attachments/20090312/fa107fb6/attachment.html 


More information about the Owasp-ireland mailing list