I would also like to note this vulnerability was reported responsibly in regards to full disclosure.
http://en.wikipedia.org/wiki/Full_disclosure Nathan Power www.securitypentest.com On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power <n...@securitypentest.com>wrote: > I was basically told that Facebook didn't see it as an issue and I was > puzzled by that. Ends up the Facebook security team had issues reproducing > my work and that's why they initially disgarded it. After publishing, the > Facebook security team re-examined the issue and by working with me they > seem to have been able to reproduce the bug. > > > Nathan Power > www.securitypentest.com > > > > On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes <pa...@ximen.es> wrote: > >> Not fixed yet. At least not yesterday when I checked. >> >> Nathan, didn't Facebook ask for some time to fix this bug after they have >> acknowledged it? >> >> >> Pablo Ximenes >> <http://ximen.es/>http://ximen.es/ >> <http://twitter.com/pabloximenes>http://twitter.com/pabloximenes >> >> Em 27/10/2011, às 19:29, Joshua Thomas < <rappercra...@gmail.com> >> rappercra...@gmail.com> escreveu: >> >> can't believe such was on FB .... wahahaha !!! lol ....rofl ... >> >> When was this discovered and fixed ? >> >> >> On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power < >> <n...@securitypentest.com><n...@securitypentest.com> >> n...@securitypentest.com> wrote: >> >>> >>> --------------------------------------------------------------------------------- >>> 1. Summary: >>> >>> When using the Facebook 'Messages' tab, there is a feature to attach a >>> file. >>> Using this feature normally, the site won't allow a user to attach an >>> executable file. >>> A bug was discovered to subvert this security mechanisms. Note, you do >>> NOT have >>> to be friends with the user to send them a message with an attachment. >>> >>> >>> --------------------------------------------------------------------------------- >>> >>> Read the rest of this advisory here: >>> >>> <http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html><http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html> >>> http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html >>> >>> >>> Enjoy :) >>> >>> >>> Nathan Power >>> <http://www.securitypentest.com> <http://www.securitypentest.com> >>> www.securitypentest.com >>> >>> _______________________________________________ >>> Full-Disclosure - We believe in it. >>> Charter: >>> <http://lists.grok.org.uk/full-disclosure-charter.html><http://lists.grok.org.uk/full-disclosure-charter.html> >>> http://lists.grok.org.uk/full-disclosure-charter.html >>> Hosted and sponsored by Secunia - <http://secunia.com/><http://secunia.com/> >>> http://secunia.com/ >>> >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: >> <http://lists.grok.org.uk/full-disclosure-charter.html><http://lists.grok.org.uk/full-disclosure-charter.html> >> http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - <http://secunia.com/><http://secunia.com/> >> http://secunia.com/ >> >> >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/