Firesheep, which allows people worldwide to steal other people's Facebook passwords over public wifi, comes out in October and they still don't redirect to https login by default. Zukerburg's fan page gets hacked with a message pertaining to Facebook's investors and they close the loophole that allowed it to happen in 1 day. Of course.
The https rollout you're referring to had nothing to do with the Zuckerberg hack, there were people testing it before the incident. It's a coincidence and has nothing to do with what happened with Zuckerberg's fan page, do you really think he went to coffee shop and logged into his fan page???
Firesheep doesn't steal passwords, it grabs cookies used for authentication. The distinction is important because with firesheep, simply putting your login page on https isn't sufficient.
Stealing passwords is of course also trivial, but to do that you need to force a situation where the user has to actually log in again (see Moxie Marlinspike's sslstrip..., which will nail the majority of people even if the site normally does use https for everything. Really bloody effective.)
Doesn't Facebook have a history of telling us one thing, but actually meaning something else?
Wonder what really happened? Must've been much more embarrassing for them to admit they had an "API Bug".
(I haven't heard of any other accounts being borked via API calls, and developers mess with these thousands of times a day, you're telling me nobody picked up on this...? Except the dude who did a harmless prank on Zuckerbergs page...)
To virtually everybody that pays attention to software security, "bug" and "vulnerability" are synonyms. To everybody that knows how computers work, "bug" is "admission of some degree of fault". This discussion tries to make a mountain out of a molehill.
Has Facebook or anybody else said anything about what the underlying bug was? Missing permission check, incorrect logic, problem in error condition ... ? Their security model is so complex that I'd expect the code to be a nightmare ... and they introduce functionality at such a fast pace
"...an API "bug" that allowed unauthorized persons to post not only on his page but those of an undisclosed number of other users." [read: a lot of other users]
That sentence was written by the author of the article: it doesn't appear to be based on what people actually said. The quote from Facebook is "A bug enabled status postings by unauthorized people on a handful of public pages. The bug has been fixed."
Of course, we have to keep in mind that Facebook has an incentive to downplay the severity and the author has an incentive to hype the severity; the truth is probably somewhere in the middle. There's no reason to believe that there was mass-abuse of this issue unless someone has evidence to the contrary. At the same time, Zuckerberg's wasn't the only high profile page to have a strange status posted on it recently.
[+] [-] mvandemar|15 years ago|reply
[+] [-] tptacek|15 years ago|reply
[+] [-] citricsquid|15 years ago|reply
[+] [-] burgerbrain|15 years ago|reply
Stealing passwords is of course also trivial, but to do that you need to force a situation where the user has to actually log in again (see Moxie Marlinspike's sslstrip..., which will nail the majority of people even if the site normally does use https for everything. Really bloody effective.)
[+] [-] veb|15 years ago|reply
Wonder what really happened? Must've been much more embarrassing for them to admit they had an "API Bug".
(I haven't heard of any other accounts being borked via API calls, and developers mess with these thousands of times a day, you're telling me nobody picked up on this...? Except the dude who did a harmless prank on Zuckerbergs page...)
[+] [-] tptacek|15 years ago|reply
[+] [-] nbpoole|15 years ago|reply
See http://abcnews.go.com/Technology/wireStory?id=12747194
[+] [-] indigoviolet|15 years ago|reply
[+] [-] edge17|15 years ago|reply
[+] [-] tybris|15 years ago|reply
[+] [-] jdp23|15 years ago|reply
[+] [-] mjuhl24|15 years ago|reply
[+] [-] nbpoole|15 years ago|reply
Of course, we have to keep in mind that Facebook has an incentive to downplay the severity and the author has an incentive to hype the severity; the truth is probably somewhere in the middle. There's no reason to believe that there was mass-abuse of this issue unless someone has evidence to the contrary. At the same time, Zuckerberg's wasn't the only high profile page to have a strange status posted on it recently.