zlacker

[parent] [thread] 10 comments
1. IvyMik+(OP)[view] [source] 2018-09-28 17:19:31
So here is a question: my girlfriend only uses FB on her laptop, and always logs out when she's done. I usually make fun of her for doing this.

But does this mean most of the time that there was no active access token and she is mostly safe? (Excluding the windows of time where she was actively using FB) Do I have to take back all of my teasing?

replies(5): >>modele+P >>kidsno+Y >>dlubar+j1 >>olkid+i3 >>pks016+aZ
2. modele+P[view] [source] 2018-09-28 17:25:07
>>IvyMik+(OP)
I doubt it. The "View As" feature does not require the target to be currently logged in to Facebook AFAIK.
replies(1): >>IvyMik+65
3. kidsno+Y[view] [source] 2018-09-28 17:26:13
>>IvyMik+(OP)
Only if the act of logging out explicitly invalidates the token on the server side
replies(1): >>dylan6+td
4. dlubar+j1[view] [source] 2018-09-28 17:29:01
>>IvyMik+(OP)
Possibly -- if the attacker accessed session IDs, they could potentially hijack the sessions of logged-in users. If you log out, most servers will destroy the session data on their backend, so there's no session that can be hijacked.
5. olkid+i3[view] [source] 2018-09-28 17:40:28
>>IvyMik+(OP)
Logging out when finished with an online service is good practice. You should do it too. (and don't make fun of her) :-)
◧◩
6. IvyMik+65[view] [source] [discussion] 2018-09-28 17:51:53
>>modele+P
This is an interesting point. Right now, I can't reconcile the "we canceled active sessions thus logging people out" as a fix with the fact that "View As" was the attack vector.
replies(2): >>rstupe+I7 >>leddt+Pc
◧◩◪
7. rstupe+I7[view] [source] [discussion] 2018-09-28 18:06:48
>>IvyMik+65
It's likely the fix required the kill active sessions which cause new keys to be generated on sign in
◧◩◪
8. leddt+Pc[view] [source] [discussion] 2018-09-28 18:42:51
>>IvyMik+65
I'm guessing they invalidated all access tokens for accounts that have been used as "View As" targets since the issue was introduced.

They also disabled "View As" which is the actual fix for the time being.

◧◩
9. dylan6+td[view] [source] [discussion] 2018-09-28 18:47:16
>>kidsno+Y
This is something I would suspect doesn't actually happen. FB wants to track all of the user's browsing habits, so maybe they just make the actual FB UI look logged out? Security-wise, it would seem to be more complicated by their desire to never let a user be logged out, and looks like it's complicated enough it is biting them in the backside. Oops?!
replies(1): >>dasil0+qM
◧◩◪
10. dasil0+qM[view] [source] [discussion] 2018-09-29 00:48:32
>>dylan6+td
It’s not really that complicated, you have auth tokens and you have tracking tokens, and you wouldn’t want to mix them anyway because you also want to be able to correlate multiple accounts logged in from the same browser over time.
11. pks016+aZ[view] [source] 2018-09-29 05:45:30
>>IvyMik+(OP)
Me too. I always log in in incognito mode,check messages and notifications and log out.
[go to top]