Dropsafe

by Alec Muffett

Facebook. New Year’s Eve. Direct Object References. Pardon?

Somehow in the haze of leftover mince pies and champagne, I missed something which redoubtable Aussie Unix-god Alan Hargreaves just brought to my attention:

Alan: Going to write anything about the facebook privacy screw up on new years messaging? I was stunned that that code made it live. I might have expected it in the 90s, but today?

…and I can only say that I too find it rather odd that OWASP Top 10 vulnerability number 4 made it into the wild on the FB platform, although I can be quietly pleased that it was an Aber student wot found the bug.

And then there’s this, too? I see the pragmatic argument for sending people (say) password reset URLs via secure channels but that:

  • is basically OWASP Top 10 vulnerability number 3
  • is vulnerable to leakage via web-proxy logs if not over SSL – and even then I would be worried
  • would need to be mitigated by some kind of one-shot-use system, which would be grotesque
  • is still a no-no in my book

So, given the opportunity, I would have tried to avoid that, too.

Hmm.

Comments

One response to “Facebook. New Year’s Eve. Direct Object References. Pardon?”

  1. katzmandu

    Alec, here are some sources on facebook code review and developer initiation:
    http://framethink.wordpress.com/2011/01/17/how-facebook-ships-code/

    Notes from bootcamp by my cousin:
    https://www.facebook.com/notes/facebook-engineering/bootcamp-growing-culture-at-facebook/249415563919

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

More posts