ask.fp.o potential account hijacking with facebook oauth
Kevin Fenzi
kevin at scrye.com
Thu Feb 13 18:42:15 UTC 2014
On Sun, 09 Feb 2014 21:52:38 +0200
Achilleas Pipinellis <axilleaspi at ymail.com> wrote:
> Hello there!
>
> I bumped into a recent post that describes the way someone could get
> access to your account using facebook oauth. According to the
> vulnerability author:
>
> > Every website with "Connect Facebook account and log in with it" is
> > vulnerable to account hijacking.
>
> Source:
> http://homakov.blogspot.gr/2014/01/two-severe-wontfix-vulnerabilities-in.html
>
> Facebook will not fix this anytime soon. Should we disable facebook
> login until this gets resolved?
So, we discussed this some, and it seems like a pretty complex
vulnerability. Additionally, ask isn't a particularly sensitive
application for us.
So, we are just going to wait and see right now I think, and if it's
used against us, reevaluate.
Thanks for bringing it up... I sure hope there's a fix at some point.
kevin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
URL: <http://lists.fedoraproject.org/pipermail/infrastructure/attachments/20140213/6f002203/attachment.sig>
More information about the infrastructure
mailing list