Bugtraq mailing list archives

Facebook critical design flaw


From: jjshoe () gmail com
Date: Wed, 19 Jun 2013 14:45:38 GMT

On or around September 27, 2012 I disclosed to Facebook through https://www.facebook.com/whitehat/report/ a critical 
design flaw in how users share photos using a URI. Once a URI is known the only action the user can take to hide the 
contents of a photo album is to delete the album. This means if you ever have a breach, be it someone sitting in front 
of your computer, or getting your Facebook password, you must delete all your photo albums to keep the contents 
private. You can succumb to the fact that those photos are breached, and only place photos in new albums as well.

Please note the following:
1) I don't care about the bounty, I would just like to see this fixed. 
2) From initial disclosure to initial contact from Facebook took 13 days. Far longer than the same day fix for a 
previous issue I disclosed to Facebook.

Recommended fix: 

1) Provide the user a way to regenerate this URI with a link: "Expire this URI"
2) Provide (or force) it as an option when changing their password
3) When Facebook believes an account has been accessed by someone else (there's a dialog for this) provide (or force) 
an option to change this URI

Emails from Facebook about this:

--snip--
10/09/12

Hi Joel,

Ack - it appears the external response got dropped (we're investigating what happened there). Incredibly sorry about 
the delay. We're actively working on this now to confirm if this is intentional behavior.

Thanks,

Alex
Security
Facebook

--------

--snip--
10/10/12

Hey Joel,

As you expected, the investigation here indeed revealed that this was "intentional" in the sense that it has always 
operated this way. The URIs generated by this feature were designed to be public and permanent. Our Photos team is 
currently collecting additional data on the usage of this feature to determine next steps as there are a few different 
options available. For your reference, we're tracking this as a security enhancement rather than a high-pri bug, which 
means we're likely looking at a resolution time of a several weeks. I'll keep you updated as the team reaches a 
decision on next steps.

Thanks,

Alex
Security
Facebook
--------

--snip-- 
10/29/12

Hi Joel,

The Photos team has decided that an option to invalidate existing links is ideal experience here. An engineer will 
begin building out the functionality shortly. Will keep you updated as time estimates solidify.

Thanks,

Alex
Security
Facebook

--------

--snip--
06/14/2013

Hi,

No that was separate, we have an engineer working on this fix but it is part of a larger rewrite so it is taking longer.

Thanks,

Emrakul
Security
Facebook
--------


Current thread: