Somehow in the haze of leftover mince pies and champagne, I missed something which redoubtable Aussie Unix-god Alan Hargreaves just brought to my attention:
Alan: Going to write anything about the facebook privacy screw up on new years messaging? I was stunned that that code made it live. I might have expected it in the 90s, but today?
…and I can only say that I too find it rather odd that OWASP Top 10 vulnerability number 4 made it into the wild on the FB platform, although I can be quietly pleased that it was an Aber student wot found the bug.
And then there’s this, too? I see the pragmatic argument for sending people (say) password reset URLs via secure channels but that:
- is basically OWASP Top 10 vulnerability number 3
- is vulnerable to leakage via web-proxy logs if not over SSL – and even then I would be worried
- would need to be mitigated by some kind of one-shot-use system, which would be grotesque
- is still a no-no in my book
So, given the opportunity, I would have tried to avoid that, too.