On 10/28/2011 6:17 PM, Ulises2k wrote: > You know this? ;) > https://www.facebook.com/whitehat/bounty/ > > > > On Fri, Oct 28, 2011 at 17:49, Nathan Power<[email protected]> wrote: >> I would also like to note this vulnerability was reported responsibly in >> regards to full disclosure. >> http://en.wikipedia.org/wiki/Full_disclosure >> >> Nathan Power >> www.securitypentest.com >> On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power<[email protected]> >> wrote: >>> I was basically told that Facebook didn't see it as an issue and I was >>> puzzled by that. Ends up the Facebook security team had issues reproducing >>> my work and that's why they initially disgarded it. After publishing, the >>> Facebook security team re-examined the issue and by working with me they >>> seem to have been able to reproduce the bug. >>> >>> Nathan Power >>> www.securitypentest.com >>> >>> >>> On Fri, Oct 28, 2011 at 11:18 AM, Pablo Ximenes<[email protected]> wrote: >>>> Not fixed yet. At least not yesterday when I checked. >>>> Nathan, didn't Facebook ask for some time to fix this bug after they have >>>> acknowledged it? >>>> >>>> Pablo Ximenes >>>> http://ximen.es/ >>>> http://twitter.com/pabloximenes >>>> Em 27/10/2011, às 19:29, Joshua Thomas<[email protected]> escreveu: >>>> >>>> can't believe such was on FB .... wahahaha !!! lol ....rofl ... >>>> >>>> When was this discovered and fixed ? >>>> >>>> >>>> On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power<[email protected]> >>>> wrote: >>>>> --------------------------------------------------------------------------------- >>>>> 1. Summary: >>>>> When using the Facebook 'Messages' tab, there is a feature to attach a >>>>> file. >>>>> Using this feature normally, the site won't allow a user to attach an >>>>> executable file. >>>>> A bug was discovered to subvert this security mechanisms. Note, you do >>>>> NOT have >>>>> to be friends with the user to send them a message with an attachment. >>>>> --------------------------------------------------------------------------------- >>>>> Read the rest of this advisory here: >>>>> http://www.securitypentest.com/2011/10/facebook-attach-exe-vulnerability.html >>>>> >>>>> Enjoy :) >>>>> >>>>> Nathan Power >>>>> www.securitypentest.com >>>>> _______________________________________________ >>>>> Full-Disclosure - We believe in it. >>>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>>> Hosted and sponsored by Secunia - http://secunia.com/ >>>> _______________________________________________ >>>> Full-Disclosure - We believe in it. >>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >>>> Hosted and sponsored by Secunia - http://secunia.com/ >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ Facebook has a habit of ignoring issues
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
