zlacker

[parent] [thread] 3 comments
1. partyc+(OP)[view] [source] 2018-09-29 02:27:52
The "View as" feature has been the source of many security vulnerabilities.

There was a time where you could read other peoples' chats using this feature.

replies(3): >>groest+Qi >>Wikipe+HM >>Raphae+lP
2. groest+Qi[view] [source] 2018-09-29 09:55:19
>>partyc+(OP)
When designing such a system, the immediate failure mode is obvious: at some point, someone will read data not meant for them.

As every feature on FB needs to take "View as" into account when handling their own permissions, a lot of developers on FB's payroll get a chance to f'up. We are all humans, so the probability of this happening is very high. The impact (for the users) is also high, given that it's automated and concerns every user on FB equally.

When dealing with a very probable, high impact risk in a software project, considerable additional effort is warranted to mitigate that risk: in this case maybe taint checking and additional implementations of the same feature in different programming paradigms, to ensure the system is fail-stop.

But in contrast to airlines and railways, the interests of FB and their users are not aligned. For Facebook, this risk is not (or was not deemed to be of) high impact, so we did't get any of this.

3. Wikipe+HM[view] [source] 2018-09-29 16:56:27
>>partyc+(OP)
Any link to this type of vulnerability? Sounds like a juicy read.
4. Raphae+lP[view] [source] 2018-09-29 17:22:44
>>partyc+(OP)
It seems to warrant checking both the permissions of the true user and the view-as user. If either does not have permission, then the action should fail. Of course, lacking the middleware for this forces you to choose one or the other and hope you remember to check the remaining user in numerous pathways.
[go to top]