zlacker

[return to "Facebook Network Breach Impacts Up to 50M Users"]
1. dom96+D[view] [source] 2018-09-28 16:52:12
>>colone+(OP)
Some more details here: https://newsroom.fb.com/news/2018/09/security-update/
◧◩
2. sdwise+e1[view] [source] 2018-09-28 16:56:10
>>dom96+D
> But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted “View As”, a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts

oh boy, what a mess.

◧◩◪
3. erichu+F1[view] [source] 2018-09-28 16:59:54
>>sdwise+e1
User impersonation code always terrifies the bajeebus out of me.
◧◩◪◨
4. sp332+y3[view] [source] 2018-09-28 17:13:04
>>erichu+F1
You only get to see your own profile. It's a very useful tool to make sure you're not leaking data you people you'd rather not give it to.
◧◩◪◨⬒
5. chrisw+Q4[view] [source] 2018-09-28 17:22:07
>>sp332+y3
... until the mechanism turns out to have an exploit, as just happened here.
◧◩◪◨⬒⬓
6. TeMPOr+y7[view] [source] 2018-09-28 17:38:51
>>chrisw+Q4
Could have been any other mechanism on the site.
◧◩◪◨⬒⬓⬔
7. iamdav+i8[view] [source] 2018-09-28 17:44:00
>>TeMPOr+y7
...but it wasn't. Which is the point, no?
◧◩◪◨⬒⬓⬔⧯
8. jrockw+Fb[view] [source] 2018-09-28 18:02:32
>>iamdav+i8
I don't think that matters. "I hate travelling by air because the plane can crash" is a true statement for many people... but statistically, that's not the method of transportation that kills people.

The fact of the matter is... ACLs are hard to get right. It's even harder when you have various roles that can be checked against the ACL (logged in user, batch job, logged in user impersonating someone, etc.) . But in the end, complexity is what's scary, not some feature that depends on complexity.

[go to top]