WHAT YOU CAN DO:- View HTML page of any website (not internal facebook pages);
- GET requests;
WHAT YOU CAN’T DO:- Manage cookies;
- POST requests;
RESTRICTIONS:- You must be logged in; HISTORY:- 14/12/2011: First contact
- 15/12/2011: No evidence to be a security flaw
- 15/12/2011: Pratical usage examples
- 23/12/2011: No response, published (GMT +1).
- 23/12/2011 (1h after publishing): “We do not consider this a security flaw. Thanks for taking the time to look into this and please send us any additional concerns you encounter in the future.” Having a facebook account is not so bad if you can have a free and fast proxy!
The affected page is: developers.facebook.com/tools/debug/og/echo?q= “q” parameter must be a valid unescaped URL. Output page will show you the HTML code of the URL and guess what? Request will be made by facebook server, without report your original IP. Also “x-forwarded-for” is not used (thanks to white_sheep for this check) Read more: IHTeam Security Blog
QR:
- GET requests;
WHAT YOU CAN’T DO:- Manage cookies;
- POST requests;
RESTRICTIONS:- You must be logged in; HISTORY:- 14/12/2011: First contact
- 15/12/2011: No evidence to be a security flaw
- 15/12/2011: Pratical usage examples
- 23/12/2011: No response, published (GMT +1).
- 23/12/2011 (1h after publishing): “We do not consider this a security flaw. Thanks for taking the time to look into this and please send us any additional concerns you encounter in the future.” Having a facebook account is not so bad if you can have a free and fast proxy!
The affected page is: developers.facebook.com/tools/debug/og/echo?q= “q” parameter must be a valid unescaped URL. Output page will show you the HTML code of the URL and guess what? Request will be made by facebook server, without report your original IP. Also “x-forwarded-for” is not used (thanks to white_sheep for this check) Read more: IHTeam Security Blog
QR:
Posts
0 comments:
Post a Comment