tag:blogger.com,1999:blog-8508344381521415235.post6909607372287831333..comments2024-02-10T02:19:53.889-08:00Comments on Egor Homakov: Two "WontFix" vulnerabilities in Facebook Connecthomakovhttp://www.blogger.com/profile/10492045246792330280noreply@blogger.comBlogger11125tag:blogger.com,1999:blog-8508344381521415235.post-82981183750108299312014-02-10T22:50:39.437-08:002014-02-10T22:50:39.437-08:00> If the app (e.g. website) is approved at FB s...> If the app (e.g. website) is approved at FB side, it is connected to a particular website account and, thus, FB account can no longer be linked to another website account<br /><br />Ah, no, not necessarily. You can connect account but not follow redirects. So FB will grant access but client website won't know about this, and will not attach it yet.homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-77691511539343403242014-02-10T00:55:14.747-08:002014-02-10T00:55:14.747-08:00That's what I assumed to happen, however, I do...That's what I assumed to happen, however, I don't see a way to pre-approve a connection at FB. I'm trying to reproduce this attack, but I can't. If the app (e.g. website) is approved at FB side, it is connected to a particular website account and, thus, FB account can no longer be linked to another website account. Any hints?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-76257052454507302812014-02-09T22:52:52.277-08:002014-02-09T22:52:52.277-08:00But user is logged in attackers account which alre...But user is logged in attackers account which already preapproved that connection.homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-38373835557235294912014-02-09T11:48:51.610-08:002014-02-09T11:48:51.610-08:00> Every website with "Connect your Faceboo...> Every website with "Connect your Facebook to main account to login faster" functionality is vulnerable to account hijacking as long as attacker can replace your identity on Facebook with his identity and connect their Facebook account to victim's account on the website just loading CLIENT/fb/connect URL.<br /><br />OK, atacker started this connection process and even forced user to log into controlled account. However, Facebook requires user's confirmation of the access scope. How do you force user to click "Okay" button?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-41570922116168270412014-02-04T03:57:42.027-08:002014-02-04T03:57:42.027-08:00ай транслатед http://habrahabr.ru/post/211362/ай транслатед http://habrahabr.ru/post/211362/homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-33086210897694207782014-02-03T18:54:08.773-08:002014-02-03T18:54:08.773-08:00Facebook only, but CSRF-login issue is pretty comm...Facebook only, but CSRF-login issue is pretty common among other providers. E.g. vk.comhomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-41153464277261376092014-02-03T10:25:30.519-08:002014-02-03T10:25:30.519-08:00Is this facebook-only or other OAuth2 providers to...Is this facebook-only or other OAuth2 providers too?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-6673292676686398202014-01-29T16:18:07.653-08:002014-01-29T16:18:07.653-08:00Неплохо было бы прочитать это на русском языке Неплохо было бы прочитать это на русском языке Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-80531460899562294822014-01-28T02:10:17.034-08:002014-01-28T02:10:17.034-08:00it looks as though if you look close enough on ANY...it looks as though if you look close enough on ANY functionality of facebook you can find a vulnerability. just too many vulnerabilities.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-20435184924279447022014-01-27T18:16:40.091-08:002014-01-27T18:16:40.091-08:00I'm not sure what is worse, this attitude face...I'm not sure what is worse, this attitude facebook "engineers" have or the beyond shallow conversations with uninteresting friends. I'm sure of one thing, both will continue their demise. It's sadly blind arrogance on their part which is the same thing that turned Friendster and Myspace in to the social networks of yesteryear.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-7130936684935233072014-01-27T13:28:27.517-08:002014-01-27T13:28:27.517-08:00typical facebook engineering. i don't see the...typical facebook engineering. i don't see them being around much longerAnonymousnoreply@blogger.com