Agreed. What I'm asking is whether Facebook did ask him to wait. Did it? If it did it's a whole different ball game.
Pablo Ximenes http://ximen.es/ http://twitter.com/pabloximenes Em 28/10/2011, às 13:01, Peter Dawson <slash...@gmail.com> escreveu: I dont think that he waited for vendor to confirm fix in production and I dont see a reason that he needs to wait . If FB did not ask him to refrain from disclosure.. y shld he ? 09/30/2011 Reported Vulnerability to the Vendor 10/26/2011 Vendor Acknowledged Vulnerability 10/27/2011 Publicly Disclosed On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes <pa...@ximen.es> wrote: > Not fixed yet. At least not yesterday when I checked. > > Nathan, didn't Facebook ask for some time to fix this bug after they have > acknowledged it? > > > Pablo Ximenes > <http://ximen.es/>http://ximen.es/ > <http://twitter.com/pabloximenes>http://twitter.com/pabloximenes > > Em 27/10/2011, às 19:29, Joshua Thomas < <rappercra...@gmail.com> > rappercra...@gmail.com> escreveu: > > can't believe such was on FB .... wahahaha !!! lol ....rofl ... > > When was this discovered and fixed ? > > > On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power < > <n...@securitypentest.com><n...@securitypentest.com> > n...@securitypentest.com> wrote: > >> >> --------------------------------------------------------------------------------- >> 1. Summary: >> >> When using the Facebook 'Messages' tab, there is a feature to attach a >> file. >> Using this feature normally, the site won't allow a user to attach an >> executable file. >> A bug was discovered to subvert this security mechanisms. Note, you do NOT >> have >> to be friends with the user to send them a message with an attachment. >> >> >> --------------------------------------------------------------------------------- >> >> Read the rest of this advisory here: >> <http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html><http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html> >> http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html >> >> >> Enjoy :) >> >> >> Nathan Power >> <http://www.securitypentest.com/> <http://www.securitypentest.com/> >> www.securitypentest.com >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: >> <http://lists.grok.org.uk/full-disclosure-charter.html><http://lists.grok.org.uk/full-disclosure-charter.html> >> http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - <http://secunia.com/><http://secunia.com/> >> http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > <http://lists.grok.org.uk/full-disclosure-charter.html><http://lists.grok.org.uk/full-disclosure-charter.html> > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - <http://secunia.com/><http://secunia.com/> > http://secunia.com/ > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/