-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 > I think they need a better way to sift the wheat from the chaff.
Numbers can be magic and eight bytes is enough of a taste to tell honey from vinegar. Nice find Dave On 28/10/2011 18:56, Pablo Ximenes wrote: > I see. I have seen this kinda behavior from vendors too often. I supose the > reason for this is the flood of false positives. I think they > need a better way to sift the wheat from the chaff. > > Congrats for your work! > > 2011/10/28 Nathan Power <[email protected]> > >> I was basically told that Facebook didn't see it as an issue and I was >> puzzled by that. Ends up the Facebook security team had issues >> reproducing my work and that's why they initially disgarded it. After >> publishing, the Facebook security team re-examined the issue and by >> working with me they seem to have been able to reproduce the bug. >> >> >> Nathan Power www.securitypentest.com >> >> >> On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes <[email protected]> wrote: >> >>> Not fixed yet. At least not yesterday when I checked. >>> >>> Nathan, didn't Facebook ask for some time to fix this bug after they have >>> acknowledged it? >>> >>> >>> Pablo Ximenes <http://ximen.es/>http://ximen.es/ >>> <http://twitter.com/pabloximenes>http://twitter.com/pabloximenes >>> >>> Em 27/10/2011, às 19:29, Joshua Thomas < <[email protected]> >>> [email protected]> escreveu: >>> >>> can't believe such was on FB .... wahahaha !!! lol ....rofl ... >>> >>> When was this discovered and fixed ? >>> >>> >>> On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power < >>> <[email protected]><[email protected]> >>> [email protected]> wrote: >>> >>>> >>>> --------------------------------------------------------------------------------- >>>> 1. Summary: >>>> >>>> When using the Facebook 'Messages' tab, there is a feature to attach a >>>> file. Using this feature normally, the site won't allow a user >>>> to attach an executable file. A bug was discovered to subvert this >>>> security mechanisms. Note, you do NOT have to be friends with the >>>> user to send them a message with an attachment. >>>> >>>> >>>> --------------------------------------------------------------------------------- >>>> >>>> Read the rest of this advisory here: >>>> >>>> <http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html><http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html> >>>> >>>> http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html >>>> >>>> >>>> Enjoy :) >>>> >>>> >>>> Nathan Power <http://www.securitypentest.com> >>>> <http://www.securitypentest.com> www.securitypentest.com >>>> >>>> _______________________________________________ Full-Disclosure - We >>>> believe in it. Charter: >>>> <http://lists.grok.org.uk/full-disclosure-charter.html><http://lists.grok.org.uk/full-disclosure-charter.html> >>>> >>>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored >>>> by Secunia - <http://secunia.com/><http://secunia.com/> >>>> http://secunia.com/ >>>> >>> >>> _______________________________________________ Full-Disclosure - We >>> believe in it. Charter: >>> <http://lists.grok.org.uk/full-disclosure-charter.html><http://lists.grok.org.uk/full-disclosure-charter.html> >>> >>> http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored >>> by Secunia - <http://secunia.com/><http://secunia.com/> >>> http://secunia.com/ >>> >>> >> > > > > _______________________________________________ Full-Disclosure - We believe > in it. Charter: > http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by > Secunia - http://secunia.com/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEVAwUBTqr2iLIvn8UFHWSmAQKk8Qf+MS1xLQGhYgHV0TcKb3OvRYxCt043xCXq bos1xRb+ggAj/AHzaHg9R4jwYKvTO2B6vpLXfUnx3vvQA0Ygu4xAjDxoLEObtz4C hHs62YeL5SGkxFyYVk54l/P26agr+Ev/HnspMdMBGCLc5iqNc/hbL3I23vYzLjEA KwDJjERMk0RAZMHJqZUqYkDEmASo8sCLDqInI8l4BqP5JiD+YoXHMUKjxRESo4TZ l7we1/nE2gOXncfJLwT+fqzIfI6LMgRU6ddxdwmc6QhVIK+dfoLnwVh0lfLSzhXE s250/+Cy3JDo0K2VpdEdu93SBPfsgqAJrKa/3NwQak40oFXEsizkHQ== =Y2jI -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
