zlacker

[parent] [thread] 9 comments
1. gboudr+(OP)[view] [source] 2018-09-29 04:27:40
> The second bug was that this video uploader incorrectly used the single signon functionally, and it generated an access token that had the permissions of the Facebook mobile app. And that’s not the way the single sign-on functionality is intended to be used.

Is it just me or does this sound like an terrible idea in the first place? Guess we can't know for sure, but why would anything unrelated to authentication generate access tokens?

replies(1): >>rblatz+x1
2. rblatz+x1[view] [source] 2018-09-29 05:10:03
>>gboudr+(OP)
Technical debt, multiple systems using multiple old authentication routines getting slowly upgraded to new auth methods. And no one taking the time to fully understand the ramifications. And honestly it seems like that was the right choice for the teams responsible. They all made tons of money delivered features and now years later a bug is found.
replies(1): >>sizzle+G4
◧◩
3. sizzle+G4[view] [source] [discussion] 2018-09-29 06:23:49
>>rblatz+x1
Would you feel the same way if this vulnerability was for, say, a major banking website?
replies(3): >>fendy3+X4 >>marvin+Oc >>fintec+Wt
◧◩◪
4. fendy3+X4[view] [source] [discussion] 2018-09-29 06:31:06
>>sizzle+G4
Ha, major banking website won't do any improvement. Can't have enhancement vulnerability if there are no enhancement we smart.
◧◩◪
5. marvin+Oc[view] [source] [discussion] 2018-09-29 09:38:36
>>sizzle+G4
I work for a major (by Norwegian standards) bank. This level of authentication integration trickery wouldn't be attempted by us. Mainly because we try hard to avoid serious technical debt (due to timeline/delivery pressure) in our security infrastructure. We occasionally take such shortcuts in places that are not mission-critical, but they are always considered carefully as the tradeoff that they are. I believe that we are considerably better at technology development than most of the banks in the US.

That said, I've heard stories of similar bugs in the industry. The difference was that they were more shallow in the effort to reproduce; deep enough to get through QA but discovered quickly in production.

But honestly, Facebook has more resources to spend on security than any online bank. Banking security should be defense-in-depth: Strong first layer security, serious monitoring of suspicious activity & openness for reports by users, a certain level of manual approval of irrevocable transfers, a certain revocability of transfers that are able to be automatically processed, transfer size limits to deny one breach to have huge consequences.

And finally, a credible economic and legal system that ensures only a tiny minority of people want to rob a bank because there are much better options for making money, and banking regulations that leave the responsibility for security vulnerabilities squarely with the bank's shareholders.

Anyone can be owned with enough effort, so it's not just about creating software that's as secure as you can make it. You need to have sound policies as well.

replies(1): >>cbzoia+Ae
◧◩◪◨
6. cbzoia+Ae[view] [source] [discussion] 2018-09-29 10:15:51
>>marvin+Oc
Meanwhile I work for a major US IB. While I don't work on anything customer facing our internal SSO infrastructure basically consists of a single cookie that gets access to almost everything.. And its really not difficult to sniff one from another user (like say getting them to visit a link like http://mydesktop.companyname.com/..).

Its so bad that for certain systems we check the origin of your connection and will only trust you if you've come from the DMZ rather than internal.

replies(1): >>ramchi+jp
◧◩◪◨⬒
7. ramchi+jp[view] [source] [discussion] 2018-09-29 13:47:18
>>cbzoia+Ae
Is the cookie not associated to a specific IP? SSO systems would normally flag the mismatch if you try to connect to a website and pass an SSO cookie issued for a different IP, so sniffing cookies wouldn’t help all that much.
replies(1): >>thefou+cL
◧◩◪
8. fintec+Wt[view] [source] [discussion] 2018-09-29 14:35:05
>>sizzle+G4
You're vastly overrating the size of the vulnerability and the security of banks. This would not have been caught by internal security teams at most banks and even if it was caught, it wouldn't be considered a major vulnerability on a major banking website.

With that said, this is a bigger vulnerability precisely because Facebook is a free service - at banks, you need to be a customer with real-world identity to even begin to attempt to exploit this.

◧◩◪◨⬒⬓
9. thefou+cL[view] [source] [discussion] 2018-09-29 17:34:32
>>ramchi+jp
In the mobile space the IP address changes all the time, isn't it?
replies(1): >>ramchi+Wo1
◧◩◪◨⬒⬓⬔
10. ramchi+Wo1[view] [source] [discussion] 2018-09-30 02:13:18
>>thefou+cL
It's unlikely to change between the SSO login page and the application's login page, and it doesn't matter if it changes later on since the app can issue its own session cookie which isn't tied to an IP.
[go to top]