Facebook. New Year’s Eve. Direct Object References. Pardon?

Somehow in the haze of leftover mince pies and champagne, I missed something which redoubtable Aussie Unix-god Alan Hargreaves just brought to my attention:

Alan: Going to write anything about the facebook privacy screw up on new years messaging? I was stunned that that code made it live. I might have expected it in the 90s, but today?

…and I can only say that I too find it rather odd that OWASP Top 10 vulnerability number 4 made it into the wild on the FB platform, although I can be quietly pleased that it was an Aber student wot found the bug.

And then there’s this, too? I see the pragmatic argument for sending people (say) password reset URLs via secure channels but that:

  • is basically OWASP Top 10 vulnerability number 3
  • is vulnerable to leakage via web-proxy logs if not over SSL – and even then I would be worried
  • would need to be mitigated by some kind of one-shot-use system, which would be grotesque
  • is still a no-no in my book

So, given the opportunity, I would have tried to avoid that, too.

Hmm.

One thought on “Facebook. New Year’s Eve. Direct Object References. Pardon?

Leave a Reply