zlacker

[return to "Facebook Network Breach Impacts Up to 50M Users"]
1. rajath+92[view] [source] 2018-09-28 17:03:05
>>colone+(OP)
> This attack exploited the complex interaction of multiple issues in our code. It stemmed from a change we made to our video uploading feature in July 2017, which impacted “View As.”

Obviously, Facebook is an extremely complicated system. But I find it hard to believe a video uploading feature would impact 'View As'.

◧◩
2. throwa+r3[view] [source] 2018-09-28 17:12:23
>>rajath+92
It's very easy for me to believe. "View As" is an authorization and authentication sensitive, limited user impersonation feature. Video uploading interacts with, and complicates, authorization in an application with fine grained privacy and permission models.

It's intuitively straightforward that modifying code for uploading videos could (read: not should) have authorization and authentication ramifications. One of those ramifications could then result in a vulnerability chain compromising user impersonation functionality.

I have seen far, far more incredulous head scratchers in penetration tests and code reviews. The interaction boundaries of, or middleware between, two seemingly unrelated systems is generally a good start to look for a security vulnerability.

[go to top]