On Sun, Jan 17, 2010 at 9:38 PM, Dan Kaminsky <[email protected]> wrote:
> It's a password to a single asset, which is retrieved in its entirety. If > you allow "omg, somebody could share the link" to be considered a security > hole, then I can see the stories now... > > "OMG! Save Picture!" > "OMG! Print Screen!" > "OMG! SOMEBODY COULD TAKE A PHOTO OF THEIR SCREEN!" > > :) > > This discussion got my interest piqued, so I did a small test. Picture id's are sequential, and person-id's are already known. The secret in this case is the l query parameter, which seems to be a 5 byte value. Two sequential pictures don't get the same secret. The album also has a different secret. It seems you're right :) Cheers, Imri (One minor point though: you can't change the secret as you would a regular password, except by recreating an album, afaict). -- Imri Goldberg -------------------------------------- http://plnnr.com/ - automatic trip planning http://www.algorithm.co.il/blogs/ -------------------------------------- -- insert signature here ----
_______________________________________________ Fun and Misc security discussion for OT posts. https://linuxbox.org/cgi-bin/mailman/listinfo/funsec Note: funsec is a public and open mailing list.
