As someone who is nowhere near skilled enough to do any such things, I am so impressed with these types of posts, very interesting stuff. I can also appreciate that you directly reported these vulnerabilities to FB.
As the past of being white hacker shows, keep hacking but shut up! Because even if you tell the author you find a way to get into their system and you havent cause any damage, they sure will come after you in a legal way.
In example herein, not only time after time the author proves that there are serious holes in FB auth system, but is also very happy to blog about it. You see, FB is publicly traded company. The management answers to stockholders and the board. If some Joe Hacker keeps finding holes in the system, someone somewhere reading that blog may be thinking of abandoning the FB platform due to it security layer looking like a swiss cheese. And management doesnt like that, because less users == less eyeballs for $.
My gut tells me, if this guy did not get offer to work for Facebook just yet, it means they are building a lawsuit against him, as you perfectly know FB TOS forbids anyone from fiddling with any of their URLs.
At which point should people consider not using a technology which has been repeatedly exploited and start using something where security has been thought about from the start?
Because we all know that the article "How I hacked FB using OAuth a 3rd time"is coming...
For those who read the article, what caused this vulnerability? An input sanitization or a flaw of OAuth2 that other OAuth2 providers should be aware of?
I'd sure love to be told how this type of attack is any less worthy than buffer overflows, or similar attacks upon old school systems? This guy obviously understands where vulnerabilities can be found and is pretty good at exposing them.
[+] [-] sharkweek|13 years ago|reply
[+] [-] joering2|13 years ago|reply
As the past of being white hacker shows, keep hacking but shut up! Because even if you tell the author you find a way to get into their system and you havent cause any damage, they sure will come after you in a legal way.
In example herein, not only time after time the author proves that there are serious holes in FB auth system, but is also very happy to blog about it. You see, FB is publicly traded company. The management answers to stockholders and the board. If some Joe Hacker keeps finding holes in the system, someone somewhere reading that blog may be thinking of abandoning the FB platform due to it security layer looking like a swiss cheese. And management doesnt like that, because less users == less eyeballs for $.
My gut tells me, if this guy did not get offer to work for Facebook just yet, it means they are building a lawsuit against him, as you perfectly know FB TOS forbids anyone from fiddling with any of their URLs.
[+] [-] c-oreills|13 years ago|reply
[+] [-] erinm|13 years ago|reply
Are they doing it just for fun, as a hobby, and making so much money in their other jobs that they don't care?
[+] [-] cronin101|13 years ago|reply
[+] [-] martinced|13 years ago|reply
At which point should people consider not using a technology which has been repeatedly exploited and start using something where security has been thought about from the start?
Because we all know that the article "How I hacked FB using OAuth a 3rd time" is coming...
[+] [-] alpb|13 years ago|reply
[+] [-] qwertzlcoatl|13 years ago|reply
[+] [-] mrb|13 years ago|reply
[+] [-] MyNewAccount99|13 years ago|reply
[deleted]
[+] [-] grapjas|13 years ago|reply
[+] [-] jhspaybar|13 years ago|reply
[+] [-] MartinCron|13 years ago|reply
[+] [-] yuvadam|13 years ago|reply
Submitted 2 hours prior [1], why repost? Karma whoring? ;)
[1] - https://news.ycombinator.com/item?id=5367908
[+] [-] WillP|13 years ago|reply