tag:blogger.com,1999:blog-8508344381521415235.post862527119567923395..comments2024-02-10T02:19:53.889-08:00Comments on Egor Homakov: How we hacked Facebook with OAuth2 and Chrome bugshomakovhttp://www.blogger.com/profile/10492045246792330280noreply@blogger.comBlogger40125tag:blogger.com,1999:blog-8508344381521415235.post-27950078722637719162014-08-23T10:57:59.454-07:002014-08-23T10:57:59.454-07:00OAuth is not just framework, it is also infrastruc...OAuth is not just framework, it is also infrastructure around it. And yes it's OAuth to blame because their spec sucks. E.g. why whitelist redirect_uri and send it over in URL at the same time? Poor protocol, with even more poor implementation by its main provider - Facebook.homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-6508603391368822532014-08-20T19:52:25.817-07:002014-08-20T19:52:25.817-07:00Saying that oAuth 2 has huge security holes is pre...Saying that oAuth 2 has huge security holes is pretty big untrue statement. What you found was not a oAuth 2 hole, what you found was a poorly written application that allowed you to take control of it. Don't blame the protocol when the developer didn't follow its specs...Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-17398003668034910572014-08-18T10:34:45.342-07:002014-08-18T10:34:45.342-07:00What drives you to find out vulnerabiities and wha...What drives you to find out vulnerabiities and what makes you a genius in security? Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-85283179954859272512013-03-15T09:24:16.364-07:002013-03-15T09:24:16.364-07:00cooolcooolAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-85652958557866394912013-02-22T12:26:59.471-08:002013-02-22T12:26:59.471-08:00Uchica uchica i eshe raz uchicaUchica uchica i eshe raz uchicahomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-23291182781056385072013-02-22T09:53:28.031-08:002013-02-22T09:53:28.031-08:00А тем кто вообще английский не знает?А тем кто вообще английский не знает?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-57270437205249154072013-02-21T06:25:09.667-08:002013-02-21T06:25:09.667-08:00yes i could hijack access token and post like i...yes i could hijack access token and post like i'm any app user authorized.<br />well it would take a lot of time, and it's black hathomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-85558851978913042282013-02-21T06:24:21.112-08:002013-02-21T06:24:21.112-08:00че сложного то, базовые все слова.
меня забанили н...че сложного то, базовые все слова.<br />меня забанили на хабре, лавочка закрытаhomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-89642449871864102792013-02-21T03:46:28.049-08:002013-02-21T03:46:28.049-08:00When is this exploit going to be installed in publ...When is this exploit going to be installed in public urinals? It has a lot of promise.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-780438526205284132013-02-21T01:19:01.475-08:002013-02-21T01:19:01.475-08:00If I am reading this correctly, you could make pos...If I am reading this correctly, you could make posts as the app owner by hijacking the session? If so, you could have made hundreds of thousands off of this exploit. Totally not worth it for $2500. Unless I've read this wrong of course.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-80886836429817171112013-02-21T00:53:36.355-08:002013-02-21T00:53:36.355-08:00Да, Я бы тоже попросил на русском, уж больно сложн...Да, Я бы тоже попросил на русском, уж больно сложно читать это все на инглишеAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-70698207048551091052013-02-21T00:12:28.559-08:002013-02-21T00:12:28.559-08:00А по русски описать?А по русски описать?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-60264430341836157722013-02-20T23:08:53.885-08:002013-02-20T23:08:53.885-08:00sukses gan :)sukses gan :)jam tangan casiohttp://www.originalcasio.comnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-30857148654391470802013-02-20T22:06:37.131-08:002013-02-20T22:06:37.131-08:00WOW great... thats briliant idea, GOOD JOBWOW great... thats briliant idea, GOOD JOBMoh Royhan Nahadonoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-76167538576060590342013-02-20T20:42:57.024-08:002013-02-20T20:42:57.024-08:00simply awesomesimply awesomeAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-56712387568131574722013-02-20T16:22:24.919-08:002013-02-20T16:22:24.919-08:00How to find a way to this black market?How to find a way to this black market?isciurushttps://www.blogger.com/profile/16918471305442707785noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-46588537170932683442013-02-20T15:05:51.184-08:002013-02-20T15:05:51.184-08:00hm. didn't check actually.. does it leave docu...hm. didn't check actually.. does it leave document.referrer?homakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-22007699014002772082013-02-20T14:54:16.417-08:002013-02-20T14:54:16.417-08:00the exploit is combination of different bugs and o...the exploit is combination of different bugs and only fo chrome, so i don't think they must have paid more.<br />It would cost much more on a black market thoughhomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-76025977084937577972013-02-20T14:53:06.189-08:002013-02-20T14:53:06.189-08:00sorry dude, i don't explain in a simple ways o...sorry dude, i don't explain in a simple ways on my blog. it takes a lot of timehomakovhttps://www.blogger.com/profile/10492045246792330280noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-23771229193168569612013-02-20T14:49:12.769-08:002013-02-20T14:49:12.769-08:00I think the $2,500 bounty is pretty shity for a co...I think the $2,500 bounty is pretty shity for a company worth billions. You're doing weeks of intrusion analysis for mere pennies. It seems to me like they're 20 orders of magnitude off in that.<br /><br />You're a nice guy.Unknownhttps://www.blogger.com/profile/15079950796344644111noreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-32128754353981655352013-02-20T14:26:34.608-08:002013-02-20T14:26:34.608-08:00Can someone explain the article in a much simpler ...Can someone explain the article in a much simpler way?Remynoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-76644221498752530142013-02-20T14:09:02.552-08:002013-02-20T14:09:02.552-08:00I'm guessing the XSS filter in the Firefox NoS...I'm guessing the XSS filter in the Firefox NoScript addon doesn't have this vulnerability?Thrawnhttps://safebrowsering.wordpress.comnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-50962173132027465752013-02-20T14:05:17.486-08:002013-02-20T14:05:17.486-08:00I think the problem is the sensitive, personal dat...I think the problem is the sensitive, personal data that people tend to store in a facebook. Not the fact that there are vulnerabilities. If you need to network there are better bets than facebook.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-86491504036744327572013-02-20T10:10:28.539-08:002013-02-20T10:10:28.539-08:00Apparently you didn't bother to read the entir...Apparently you didn't bother to read the entire articleAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-8508344381521415235.post-5576623303504376142013-02-20T09:54:54.375-08:002013-02-20T09:54:54.375-08:00Facebook gives you at least $500, if you hack thei...Facebook gives you at least $500, if you hack their site. Have they paid you?Anonymousnoreply@blogger.com