Mr BaconZombie, first of all, greetings, it's an amazing rainy friday in Buenos Aires.
Your signature is awesome as well, and makes it really hard to respond, and read, I like it. You are sending the long string as status update, *you have to send it as a message in the chat, the addressee user will eventually be disconnected. * Since there's no limit in the amount of characters that you can send in a message and the application will push as much as you send, the user browser pulling the information will get a huge amount of data in no time, crashing in diverse ways. I hope you have fun, and a great weekend; Sincerely yours; Chris C. Russo -- Success, *forward, quick.* Chris C. Russo Más de 100,000 Km recorridos, conservo direcciones, presiono con ambición, avanzo con delicadeza, flexibilizo para alcanzar, creo escenarios, cambio realidades. w: www.calciumsec.com e: [email protected] On 09/11/2012 01:41 p.m., Bacon Zombie wrote: > There seem to be a hard limit via the main website interface but I > have not check modifying the post or using another means { raw, API, > Facebook App, etc}. > > "Status updates must be less than 63,206 characters. You have entered > 73,979 characters here. Notes can be much longer. Would you like to > edit and post your update as a Note instead?" > > Regards, > > -- > ฤ๊๊๊๊๊็็็็็๊๊๊๊๊็็็็ > ฮ้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้ > ฦ้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้ > > BaconZombie > > LOAD "*",8,1 > > On 9 November 2012 15:31, Chris C. Russo <[email protected]> wrote: >> On 09/11/2012 11:29 a.m., Bill Weiss wrote: >>> Chris C. Russo([email protected])@Thu, Nov 08, 2012 at 04:28:33AM -0300: >>>> Good news everyone! >>>> >>>> The last time I reported a security flaw to facebook, it took around 6 >>>> weeks until they replied, >>>> telling me that there was no flaw at all. Perhaps that's why I decided >>>> to make public any flaw on facebook from now on. >>> [cut some technical details for readability] >>>> (Properly replace the <EXTREMLY LONG MESSAGE HERE> before testing) >>>> >>>> This might not be the best vulnerability description ever, >>>> but I hope it helps solving the condition as soon as possible. Have fun. >>> What length of EXTREMELY LONG MESSAGE were you using in testing? 1K >>> bytes, 1M, 1G? >>> >> I couldn't tell, I started up with 1,000 chars and increased 1,000 by >> 1,000 until 100,000 with parallel connections. But certainly, even if >> you only full the text input using the regular UI from facebook, you'll >> crash any regular box, or tablet. >> Perhaps you should try with 1 Gb tho and see what happens, there's test >> users you can create from the facebook.com/whitehat. >> >> -- >> Success, *forward, quick.* Chris C. Russo >> >> Más de 100,000 Km recorridos, conservo direcciones, presiono con >> ambición, avanzo con delicadeza, flexibilizo para alcanzar, creo >> escenarios, cambio realidades. >> >> w: www.calciumsec.com >> e: [email protected] >> >> _______________________________________________ >> Full-Disclosure - We believe in it. >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html >> Hosted and sponsored by Secunia - http://secunia.com/ > > -- Success, *forward, quick.* Chris C. Russo Más de 100,000 Km recorridos, conservo direcciones, presiono con ambición, avanzo con delicadeza, flexibilizo para alcanzar, creo escenarios, cambio realidades. w: www.calciumsec.com e: [email protected] _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
