Document Title:
===
Facebook Bug Bounty #12 - Client Side Exception Web Vulnerability
References (Source):
http://www.vulnerability-lab.com/get_content.php?id=1190
Facebook Security ID: 186072579
Release Date:
=
2014-02-07
Vulnerability
Facebook Vulnerability Discloses Friends Lists Defined as Private
=
Researchers from the Quotium Seeker Research Center identified a security flaw
in Facebook privacy controls. The vulnerability allows attackers to see the
friends list of any user
Answer to your queries:
Yes you are correct works on account which has been accessed once from that
IP.
If you are using multiple PCs, then it works on any of those machines.
You need to click No longer have access to this (3rd image). Apologies for
that.
Works like a charm in cyber
It does not work for all accounts. For example FB will ask me for the
security question, all I can do is enter it or abort the recovery
process (no option to skip it).
Am 2013-08-06 20:12, schrieb Bhavesh Naik:
Answer to your queries:
Yes you are correct works on account which has been
Blog post link :
http://techielogic.wordpress.com/2013/08/04/facebooks-friends-list-disclosure-vulnerability/
Affected application: facebook.com
Impact: Access to friends list, by bypassing the privacy settings
Author: Bhavesh Naik
It was JULY 17, 2013 when I discovered this little loophole
Nice finding, but how do you know the victims email address?
Am 2013-08-06 05:41, schrieb Bhavesh Naik:
BLOG POST LINK :
_HTTP://TECHIELOGIC.WORDPRESS.COM/2013/08/04/FACEBOOKS-FRIENDS-LIST-DISCLOSURE-VULNERABILITY/
[3]_
Affected application: facebook.com
Impact: Access to
You don't need to know it. [vanityname]@facebook.com should work just fine.
For example, if my Facebook URL were:
http://facebook.com/adampapsynet
Then you'd be able to reference that account using adampapsy...@facebook.com
.
That was the biggest shocker to me, when they started auto-creating
Same here, it seems to differ
a) if phone is registered to facebook (maybe they send a code to it)
b) if gmail is available
My testaccount said it cannot recover my data. Another account went to
the new email window, but had no option to chose the friends way.
But the
On Tue, 06 Aug 2013 16:51:39 +0200, Alex said:
Nice finding, but how do you know the victims email address?
If you can't figure out how to social-engineer that information,
you probably need to be in some other business. ;)
pgpTYCzPk9Kmu.pgp
Description: PGP signature
I never saw the message from David Mah, but he's correct about the IP
thing. If X account has ever logged in from your IP, you can use things
like the phone number to recover the account. But for obvious reasons, the
phone number typically doesn't seem to work otherwise, so this supports the
Noting that I tried it myself just now had different results, and I'm not
sure if this is exploitable as easily as it originally seemed to be.
At his third image, the one that gives the three options 'google account',
'email', or 'smartphone', I clicked Continue. Instead of the page that he
#Title: Facebook Url Redirection Vulnerability
#Discovery Date: 10/July/2013
#Author: Cansın Yıldırım
#Twitter: @YildirimCansin
#Website: www.cansinyildirim.com
I checked your video and found out, that this mailinglist is also
vulnerable. Check this out:
http://www.google.de/ [10]
If a user clicks on this link, he will be brought to the malicious site.
Am 2013-07-11 13:18, schrieb CANSIN YILDIRIM:
WTF??? !!!
From: Alex
Sent: Thursday, July 11, 2013 4:33 PM
To: full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Facebook Url Redirection Vuln.
I checked your video and found out, that this mailinglist is also vulnerable.
Check this out:
http://www.google.de/
If a user
Worth reading:
http://packetstormsecurity.com/news/view/22713/Facebook-Where-Your-Friends-Are-Your-Worst-Enemies.html
https://www.facebook.com/notes/facebook-security/important-message-from-facebooks-white-hat-program/10151437074840766
___
Description:
[#] Title : Facebook Open URL Redirection Vulnerability 2013
[#] Status: Unfixed
[#] Severity : High
[#] Works on : Any browser with any version
[#] Homepage : www.facebook.com
[#] Author : Arul Kumar.V
[#] Email : arul.xtro...@gmail.com
I
Title:
==
Facebook Mobile Bug Bounty #7 - Redirect Vulnerability
Date:
=
2013-06-15
References:
===
http://www.vulnerability-lab.com/get_content.php?id=975
Facebook Security ID: 159243257
VL-ID:
=
975
Common Vulnerability Scoring System:
Title:
==
Facebook NYClubs - Multiple Web Vulnerabilities
Date:
=
2012-02-17
References:
===
http://www.vulnerability-lab.com/get_content.php?id=440
VL-ID:
=
440
Introduction:
=
The application is currently included and viewable by all facebook users.
The
Title:
==
Facebook Game Store - SQL Injection Vulnerability
Date:
=
2012-02-04
References:
===
http://www.vulnerability-lab.com/get_content.php?id=408
VL-ID:
=
408
Introduction:
=
The application is currently included and viewable by all facebook users.
The
Appears legit.
https://www.facebook.com/help/?faq=292760454081612
-Sebastian
On Fri, Jan 20, 2012 at 1:29 PM, Gage Bystrom themadichi...@gmail.comwrote:
Yeah good luck with reproducing it cause it REALLY sounds like a mitm or a
phishing attack trying to get people to download fake av. I
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
agreed. That's one of the reasons why I've permanently closed my FB account
some time ago ...
- -Nik
On 01/20/2012 05:26 AM, maxigas wrote:
From: Wesley Kerfoot wja...@gmail.com
Subject: [Full-disclosure] Facebook seems to think my Arch Linux box
On Thu, Jan 19, 2012 at 7:13 PM, Wesley Kerfoot wja...@gmail.com wrote:
So there I was, innocently posting ... on ... facebook
hey, there's your problem!
friends don't let friends friend whore themselves. friend.
___
Full-Disclosure - We believe in
could you post the link pls? wanna re-produce that...
On 01/20/12 04:13, Wesley Kerfoot wrote:
So there I was, innocently posting anti-SOPA links on my wall. I close
my facebook tab temporarily, open a new one a few minutes later, and I’m
logged out of my account.
“Well that’s odd” I think.
From: Wesley Kerfoot wja...@gmail.com
Subject: [Full-disclosure] Facebook seems to think my Arch Linux box has
malware on it
Date: Thu, 19 Jan 2012 22:13:06 -0500
The message here for Facebook is that they shouldn’t implement systems that
they can’t support when they fail.
Here the message
It turns out that it was a problem with firefox. However, I do not believe
I had any malicious addons or extensions for a few reasons. 1) I only had 4
extensions, adblock plus, pentadactyl, firebug, and noscript.
2) they were all vetted (presumably) by mozilla.
I believe, and this is simply
Yeah good luck with reproducing it cause it REALLY sounds like a mitm or a
phishing attack trying to get people to download fake av. I would do a dns
lookup and then compare those results to that of a public web service, and
save the links for the AVs to check if they have any malicious history
You, use, too, many, commas, like, Jim, Kirk, A.
But yes, I say THEY are malware :P
You'd be forgiven for thinking I'm talking about FB but FB have /no/ /way/
to /know/ you have or have not got malware.
Especially on your excellent Arch.
Sounds about time you did some DNS- / extension- /
+1
On 21 January 2012 08:29, Gage Bystrom themadichi...@gmail.com wrote:
Yeah good luck with reproducing it cause it REALLY sounds like a mitm or a
phishing attack trying to get people to download fake av. I would do a dns
lookup and then compare those results to that of a public web
...@lists.grok.org.uk
Date: Fri, 20 Jan 2012 13:29:01
To: Wesley Kerfootwja...@gmail.com;
full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Facebook seems to think my Arch Linux box has
malware
:01
To: Wesley Kerfootwja...@gmail.com; full-disclosure@lists.grok.org.uk
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Facebook seems to think my Arch Linux box
has
malware on it
___
Full-Disclosure - We believe in it.
Charter
...@lists.grok.org.uk
Date: Fri, 20 Jan 2012 13:29:01
To: Wesley Kerfootwja...@gmail.com;
full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Facebook seems to think my Arch Linux box has
malware on it
___
Full
: [Full-disclosure] Facebook seems to think my Arch Linux box
has
malware on it
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com
Date: Fri, 20 Jan 2012 13:29:01
To: Wesley Kerfootwja...@gmail.com; full-disclosure@lists.grok.org.uk
full-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Facebook seems to think my Arch Linux box
has
malware on it
___
Full
...@lists.grok.org.uk
Date: Fri, 20 Jan 2012 13:29:01
To: Wesley Kerfootwja...@gmail.com;
full-disclosure@lists.grok.org.ukfull-disclosure@lists.grok.org.uk
Subject: Re: [Full-disclosure] Facebook seems to think my Arch Linux box
has
malware on it
___
Full
-disclosure] Facebook seems to think my Arch Linux box
has
malware on it
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com
http://www.pastebay.net/298878 /// owned
here... sheesh i wonder what could it be :s
darn, we were all wrong, and, your right.. its FB.!
omfg man this means, EOF , end of world, no FB, the net would
collapse,w ell, the USA military would but still!
Asfor mentioning 9/1`1 , on a damn mailing
So there I was, innocently posting anti-SOPA links on my wall. I close my
facebook tab temporarily, open a new one a few minutes later, and I’m
logged out of my account.
“Well that’s odd” I think. So I log back in.
“Your computer has malware!” Facebook says to me. They tell me that my
computer
Hello,
“Your computer has malware!” Facebook says to me.
I am really curious to know, assuming that everything you've said is
accurate, how they determine you've got malware. This is rather curious.
The more I think about it, the more I wonder if something's come between
you and facebook
+1
this was the first and biggest hack ever done on myspace, wich simply,
pretended you needed the 'java flash' plugin, to view the 'wall' of
your friend..now, they killed it but by then, it was suicide...and,
they had no idea for many months... this, is known, and also that FB
has added new
anyone else notice the apps.facebook.com/whatever tend to be prone to sql
vulns? ie,
https://apps.facebook.com/worldwide_dev/ while not logged in, and
https://apps.facebook.com/worldwide_dev/%00
Due to them being apps, facebook I believe is not responsible for any
security issues, but in this
uh..wtf?
On Jan 2, 2012 12:46 PM, syka...@astalavista.com wrote:
Ladies and gentleman, I will be unplugged from my email until the 17th of
January.
In the mean time here's a video of a bunny opening your mail
http://www.youtube.com/watch?v=LMyaRmTwdKs
Your mail will not be forwarded and I
Yeah, just mark those as spam. People with auto reply when they are on a
mailing list are dumb.
And yeah FB has no responsibility over apps. Generally and sqli or what not
is going to the app owners site, not FB so why should they care?
On Jan 2, 2012 12:48 PM, t0hitsugu tohits...@gmail.com
On Mon, Jan 2, 2012 at 4:43 PM, Gage Bystrom themadichi...@gmail.com wrote:
Yeah, just mark those as spam. People with auto reply when they are on a
mailing list are dumb.
And yeah FB has no responsibility over apps. Generally and sqli or what not
is going to the app owners site, not FB so
On Mon, 02 Jan 2012 12:47:37 PST, t0hitsugu said:
uh..wtf?
On Jan 2, 2012 12:46 PM, syka...@astalavista.com wrote:
Ladies and gentleman, I will be unplugged from my email until the 17th of
January.
That should read: Ladies and gentlemen, my email address will be available for
social
Yup...
jc@egg:~$ dig TXT astalavista.com
; DiG 9.6-ESV-R4-P3 TXT astalavista.com
;; global options: +cmd
;; Got answer:
;; -HEADER- opcode: QUERY, status: NOERROR, id: 6237
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;astalavista.com.
I'm more confused as to why he replied when I had messaged this board
regarding facebook and sql errors, not him or anything to do with
astalavista...
On Jan 2, 2012 2:58 PM, James Condron ja...@zero-internet.org.uk wrote:
Yup...
jc@egg:~$ dig TXT astalavista.com
; DiG 9.6-ESV-R4-P3 TXT
On Mon, 02 Jan 2012 18:39:56 PST, t0hitsugu said:
I'm more confused as to why he replied when I had messaged this board
Because he has a stupid autoresponder that blabs out to the From: address
without bothering to figure out if it's actually addressed to him personally,
or if it's traffic to a
On Tuesday 03 Jan 2012, valdis.kletni...@vt.edu wrote:
On Mon, 02 Jan 2012 18:39:56 PST, t0hitsugu said:
I'm more confused as to why he replied when I had messaged this
board
Because he has a stupid autoresponder that blabs out to the From:
address without bothering to figure out if it's
On Tue, 03 Jan 2012 10:37:24 +0530, Raj Mathur (=?utf-8?b?4KSw4KS+4KSc?=
=?utf-8?b?IOCkruCkvuCkpeClgeCksA==?=) said:
5) Check for the Precedence: Bulk or Precedence: List header.
Perfectly correct, I was trying to remember which one I forgot, and missed that
one. And so did the guy's
Affected Application: Facebook.com
Exploit Platform: Remote
Impact: Full Access to Facebook profile
Severity: High
Author: Anand Pandey
Email: anandkpandey1 (at) gmail (dot) com
Video: http://www.youtube.com/watch?v=9CtxQxyEf40
The main thing is that the security division at facebook probably runs
the bug hunting page (as with everywhere else, which does make a decent
bit of sense). And, if you spot bugs before they do, then that looks
bad on them (internally at the company and externally to the world).
So, it is
nice speculation, but imo it would make them look more bad, if they turn
down the reports, because it will come back to them (either via the
publication like in this case, or just simply someone exploiting it).
so while I don't have personal experience working with the facebook
security team, but
From: Charles Morris cmor...@cs.odu.edu
Subject: Re: [Full-disclosure] Facebook Attach EXE Vulnerability
To: Nathan Power n...@securitypentest.com
Cc: Full Disclosure full-disclosure@lists.grok.org.uk
Message-ID:
CABgawuYGTu1=eg2nesd9g_n_aapwe1myqzrznc0tdz5sqsb...@mail.gmail.com
Content-Type
Yes to a certain degree its all about Saving FACE. .. however FB's
30member integrity team is only bothered about how to manage the vectors
that have been primed to protect.
FB is the largest network protected .. (YES big word Protected !! / they
have over 25B checks per day and reaching upto
On Tue, 01 Nov 2011 14:00:42 BST, Ferenc Kovacs said:
nice speculation, but imo it would make them look more bad, if they turn
down the reports, because it will come back to them (either via the
publication like in this case, or just simply someone exploiting it).
So exactly how big a hit did
Hey great read,
very true, there is way too little money in this area, but thats
what i am hoping to change, albeit pinch per punch and company by
company, slowly if more people turn to some ideals that you must
atleast know how to make the exploit and then how to debug it enough,
then to
I sort of have to agree with this, as I earlier stated, FB somehow
seems to affect even those who dont use it (like me), but all my
family, and theyre friends and theyre friends, as i know, neary
everyone i know uses it but me!
I guess this is why I am abit peeved at theyre offer of 500bux for a
March 8 is the 67th day of the year (68th in leap years) in the
Gregorian calendar. There are 298 days remaining until the end of the
year.
I doubt thats what you mean but eh ;)
On 2 November 2011 02:58, valdis.kletni...@vt.edu wrote:
On Tue, 01 Nov 2011 14:00:42 BST, Ferenc Kovacs said:
Sounds great thx :)
Is maybe abit of this chatter wich aids them to see how important it
is to link to the community who find 99.9% of bugs i am glad to
see *any* expansions within any corporation, it means they are atleast
listening to those who know better maybe than they do... but theyre
Last week Facebook announced that in one day 600,000 accounts possibly get
hacked. Another possible solution for Facebook to combat security issues is
to find 3 to 5 *Trusted friends*. Facebook will be adding two new
security features that will allow users to regain control of their account
if it
Nathan, It IS an issue, don't let their foolishness harsh your mellow.
Although it's a completely ridiculous, backwards, and
standards-relaxing security mechanism,
the fact is they implemented it, and you subverted it.
In my book that's Pentester 1 :: Fail Vendor 0
I've had large vendors
Oh hey, 3k is great!
I saw that they just made it look abit cheap... no wrath but, it is
still a MULTI billion now, dollar company, so they shoukld be trying
to make SURE they can out bi ANY underground payers.. thats all i had
to question.
thanks for clearing it up, but sure, if theyre paying
On Sat, Oct 29, 2011 at 2:33 PM, xD 0x41 sec...@gmail.com wrote:
Bounty, another nice way to say *screw you but here anyhow...*
I am shocked they offer so little ($500 usd for remote-code injection) ,
Actually, it's $500 _or more_. I've lost the reference, but I think
they paid about $3000 for
That was the original program I was participating in. Facebook has agreed
to pay me a bounty for this bug.
Nathan Power
www.securitypentest.com
On Fri, Oct 28, 2011 at 7:17 PM, Ulises2k ulise...@gmail.com wrote:
You know this? ;)
https://www.facebook.com/whitehat/bounty/
On Fri, Oct
Bounty, another nice way to say *screw you but here anyhow...*
I am shocked they offer so little ($500 usd for remote-code injection) ,
one remote code injection bug for FB in a security environment wich is
not white, and may sell the bug for upto more than 5000, because if a
RCE or other was
Is this for real? If so, this is a huge scandal imho. Such a simple error
for a Facebook developer to make.
On 27 Oct 2011 13:53, Nathan Power n...@securitypentest.com wrote:
-
1. Summary:
When using the Facebook
Nice one Nathan :)
On Thu, Oct 27, 2011 at 9:33 PM, Dan Ballance tzewang.do...@gmail.comwrote:
Is this for real? If so, this is a huge scandal imho. Such a simple error
for a Facebook developer to make.
On 27 Oct 2011 13:53, Nathan Power n...@securitypentest.com wrote:
Not fixed yet. At least not yesterday when I checked.
Nathan, didn't Facebook ask for some time to fix this bug after they have
acknowledged it?
Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes
Em 27/10/2011, às 19:29, Joshua Thomas rappercra...@gmail.com escreveu:
can't believe
Not fixed yet. I checked today.
On Fri, Oct 28, 2011 at 1:18 PM, Pablo Ximenes pa...@ximen.es wrote:
Not fixed yet. At least not yesterday when I checked.
Nathan, didn't Facebook ask for some time to fix this bug after they have
acknowledged it?
Pablo Ximenes
I dont think that he waited for vendor to confirm fix in production and I
dont see a reason that he needs to wait . If FB did not ask him to refrain
from disclosure.. y shld he ?
09/30/2011 Reported Vulnerability to the Vendor
10/26/2011 Vendor Acknowledged Vulnerability
10/27/2011 Publicly
Agreed. What I'm asking is whether Facebook did ask him to wait. Did it? If
it did it's a whole different ball game.
Pablo Ximenes
http://ximen.es/
http://twitter.com/pabloximenes
Em 28/10/2011, às 13:01, Peter Dawson slash...@gmail.com escreveu:
I dont think that he waited for vendor to
oh ok..i c ur point.. if they did tell him to wait and he failed their NDA..
then its an issue
/pd
On Fri, Oct 28, 2011 at 12:04 PM, Pablo Ximenes pa...@ximen.es wrote:
Agreed. What I'm asking is whether Facebook did ask him to wait. Did it?
If it did it's a whole different ball game.
seems they use string.endwith to decide if it is exe
--
抱歉暂时无法详细说明。这份邮件是使用安装有K-9 Mail的Android移动设备发送的。
Vipul Agarwal vi...@nuttygeeks.com写到:
Nice one Nathan :)
On Thu, Oct 27, 2011 at 9:33 PM, Dan Ballance tzewang.do...@gmail.com wrote:
Is this for real? If so, this is a huge scandal imho.
I see. I have seen this kinda behavior from vendors too often. I supose the
reason for this is the flood of false positives. I think they need a better
way to sift the wheat from the chaff.
Congrats for your work!
2011/10/28 Nathan Power n...@securitypentest.com
I was basically told that
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
I think they need a better way to sift the wheat from the chaff.
Numbers can be magic and eight bytes is enough of a taste to tell honey from
vinegar.
Nice find
Dave
On 28/10/2011 18:56, Pablo Ximenes wrote:
I see. I have seen this kinda
I was basically told that Facebook didn't see it as an issue and I was
puzzled by that. Ends up the Facebook security team had issues reproducing
my work and that's why they initially disgarded it. After publishing, the
Facebook security team re-examined the issue and by working with me they
seem
I would also like to note this vulnerability was reported responsibly in
regards to full disclosure.
http://en.wikipedia.org/wiki/Full_disclosure
Nathan Power
www.securitypentest.com
On Fri, Oct 28, 2011 at 1:38 PM, Nathan Power n...@securitypentest.comwrote:
I was basically told that
You know this? ;)
https://www.facebook.com/whitehat/bounty/
On Fri, Oct 28, 2011 at 17:49, Nathan Power n...@securitypentest.com wrote:
I would also like to note this vulnerability was reported responsibly in
regards to full disclosure.
http://en.wikipedia.org/wiki/Full_disclosure
On 10/28/2011 6:17 PM, Ulises2k wrote:
You know this? ;)
https://www.facebook.com/whitehat/bounty/
On Fri, Oct 28, 2011 at 17:49, Nathan Powern...@securitypentest.com wrote:
I would also like to note this vulnerability was reported responsibly in
regards to full disclosure.
On Fri, 28 Oct 2011 20:44:04 CDT, Laurelai said:
On 10/28/2011 6:17 PM, Ulises2k wrote:
You know this? ;)
https://www.facebook.com/whitehat/bounty/
Facebook has a habit of ignoring issues
So? That's their problem, not yours.
The moral thing to do is to work with them on a responsible
On 10/28/2011 10:03 PM, valdis.kletni...@vt.edu wrote:
On Fri, 28 Oct 2011 20:44:04 CDT, Laurelai said:
On 10/28/2011 6:17 PM, Ulises2k wrote:
You know this? ;)
https://www.facebook.com/whitehat/bounty/
Facebook has a habit of ignoring issues
So? That's their problem, not yours.
The moral
On Fri, Oct 28, 2011 at 11:15 PM, Laurelai laure...@oneechan.org wrote:
On 10/28/2011 10:03 PM, valdis.kletni...@vt.edu wrote:
On Fri, 28 Oct 2011 20:44:04 CDT, Laurelai said:
On 10/28/2011 6:17 PM, Ulises2k wrote:
You know this? ;)
https://www.facebook.com/whitehat/bounty/
Facebook has a
-
1. Summary:
When using the Facebook 'Messages' tab, there is a feature to attach a
file.
Using this feature normally, the site won't allow a user to attach an
executable file.
A bug was discovered to subvert this
can't believe such was on FB wahahaha !!! lol rofl ...
When was this discovered and fixed ?
On Thu, Oct 27, 2011 at 1:02 AM, Nathan Power n...@securitypentest.comwrote:
-
1. Summary:
When using the
On 10/8/2011 8:45 PM, Antony widmal wrote:
Shit man, that's serious business
(S-K trying to take over FD)
Of course it's not your code dickwad. All ya know is talking posting
shit on an IT Sec mailing list.
On Sat, Oct 8, 2011 at 7:53 PM, Laurelai
On Sun, 09 Oct 2011 08:52:46 PDT, Laurelai said:
You sir, are an idiot.
s/an/a/ - FTFY.
pgp2xbRwXzvQi.pgp
Description: PGP signature
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/9/2011 12:04 PM, valdis.kletni...@vt.edu wrote:
On Sun, 09 Oct 2011 08:52:46 PDT, Laurelai said:
You sir, are an idiot.
s/an/a/ - FTFY.
A goes before words that begin with consonants.
An goes before words that begin with vowels.
The
On Sun, 09 Oct 2011 13:38:41 CDT, Laurelai said:
On 10/9/2011 12:04 PM, valdis.kletni...@vt.edu wrote:
On Sun, 09 Oct 2011 08:52:46 PDT, Laurelai said:
You sir, are an idiot.
s/an/a/ - FTFY.
A goes before words that begin with consonants.
An goes before words that begin with
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 10/9/2011 2:18 PM, valdis.kletni...@vt.edu wrote:
On Sun, 09 Oct 2011 13:38:41 CDT, Laurelai said:
On 10/9/2011 12:04 PM, valdis.kletni...@vt.edu wrote:
On Sun, 09 Oct 2011 08:52:46 PDT, Laurelai said:
You sir, are an idiot.
s/an/a/ - FTFY.
Shit man, that's serious business
(S-K trying to take over FD)
Of course it's not your code dickwad. All ya know is talking posting shit
on an IT Sec mailing list.
On Sat, Oct 8, 2011 at 7:53 PM, Laurelai laure...@oneechan.org wrote:
Blackhatacademy has asked me to
Blackhatacademy has asked me to post this to the mailing list as im one
of the instructors there, I did not personally develop the exploit,
please direct questions regarding it to hatter on irc.blackhatacademy.org
Overview
Over the years, facebook has been vulnerable to numerous web
Title:
==
Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability
Date:
=
2011-09-29
References:
===
http://www.vulnerability-lab.com/get_content.php?id=272
VL-ID:
=
272
Introduction:
=
The application is currently included and viewable by
2011-00-00: Vendor Fix/Patch
On Thu, Sep 29, 2011 at 11:34 AM, resea...@vulnerability-lab.com
resea...@vulnerability-lab.com wrote:
Title:
==
Facebook North Scottsdale Inventory - Remote SQL Injection Vulnerability
Date:
=
2011-09-29
References:
===
https://www.facebook.com/connect/connect_to_node_error.php?body=VULNERABLE
:(
___
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Turns outnot so much :P
https://www.facebook.com/connect/connect_to_node_error.php?body=%3Cscript%3Ealert%28String.fromCharCode%2888,%2083,%2083%29%29%3C/script%3E
Sure maybe there is a way to bypass the filter but good luck.
Probably be a good idea to include a better PoC next time.
Well, this has been there for quite a long time.
Another variation (which can control the title content too, making it more
believable) :
https://www.facebook.com/connect/connect_to_node_error.php?title=Really%3Fbody=Hello%20World
!
But yes, AFAIK, html tags cannot be injected. Although, a
+1.
General rule of the thumb (which has served me well), is that the govt +
company who holds your info, can do whatever they want. Laws are bent and
broken every single day by these people in charge. Sucks, I know, but that's
the world we live in, I'm afraid ;/
On Wed, May 4, 2011 at 1:46 PM,
Amish not being in the regular databases cause they don't use
technology (i.e., like Facebook, or any of the other databases mentioned
previously). A better way to word It wouldn't just be a selective
subset but pretty much who, where,
when and probably why without too many non-Amish exceptions.
On Wed, May 4, 2011 at 8:55 AM, Cal Leeming c...@foxwhisper.co.uk wrote:
+1.
General rule of the thumb (which has served me well), is that the govt +
company who holds your info, can do whatever they want. Laws are bent and
broken every single day by these people in charge. Sucks, I know, but
found this
Facebook Law Enforcement Guidelines
http://exit.gulli.com/url/http://info.publicintelligence.net/Facebook2010.pdf
On 04.05.11 01:30, Ivan . wrote:
it's the law, specifically CALEA
http://en.wikipedia.org/wiki/Communications_Assistance_for_Law_Enforcement_Act
On Wed, May 4, 2011
1 - 100 of 183 matches
Mail list logo
