I was basically told that Facebook didn't see it as an issue and I was puzzled by that. Ends up the Facebook security team had issues reproducing my work and that's why they initially disgarded it. After publishing, the Facebook security team re-examined the issue and by working with me they seem to have been able to reproduce the bug.
Nathan Power www.securitypentest.com On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes <[email protected]> wrote: > Not fixed yet. At least not yesterday when I checked. > > Nathan, didn't Facebook ask for some time to fix this bug after they have > acknowledged it? > > > Pablo Ximenes > <http://ximen.es/>http://ximen.es/ > <http://twitter.com/pabloximenes>http://twitter.com/pabloximenes > > Em 27/10/2011, às 19:29, Joshua Thomas < <[email protected]> > [email protected]> escreveu: > > can't believe such was on FB .... wahahaha !!! lol ....rofl ... > > When was this discovered and fixed ? > > > On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power < > <[email protected]><[email protected]> > [email protected]> wrote: > >> >> --------------------------------------------------------------------------------- >> 1. Summary: >> >> When using the Facebook 'Messages' tab, there is a feature to attach a >> file. >> Using this feature normally, the site won't allow a user to attach an >> executable file. >> A bug was discovered to subvert this security mechanisms. Note, you do NOT >> have >> to be friends with the user to send them a message with an attachment. >> >> >> --------------------------------------------------------------------------------- >> >> Read the rest of this advisory here: >> >> <http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html><http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html> >> http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html >> >> >> Enjoy :) >> >> >> Nathan Power >> <http://www.securitypentest.com> <http://www.securitypentest.com> >> www.securitypentest.com >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: >> <http://lists.grok.org.uk/full-disclosure-charter.html><http://lists.grok.org.uk/full-disclosure-charter.html> >> http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - <http://secunia.com/><http://secunia.com/> >> http://secunia.com/ >> > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: > <http://lists.grok.org.uk/full-disclosure-charter.html><http://lists.grok.org.uk/full-disclosure-charter.html> > http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - <http://secunia.com/><http://secunia.com/> > http://secunia.com/ > >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
