[funsec] Facebook Image Privacy
Imri Goldberg
lorgandon at gmail.com
Sun Jan 17 13:16:58 CST 2010
On Sun, Jan 17, 2010 at 9:08 PM, Dan Kaminsky <dan at doxpara.com> wrote:
> And a computer that isn't at the bottom of the Mariana Trench ain't secure.
>
> Unguessable tokens have a long history of use in our field (CSRF tokens,
> etc) and having one lock access to an image is relatively legitimate. If
> there was a way to guess the token, we'd say there was an issue.
>
I think the difference is how long you expect that token to be kept. The
link given, afaict, is a permanent one, unlike csrf tokens or various change
password tokens.
Cheers,
Imri
--
Imri Goldberg
--------------------------------------
http://plnnr.com/ - automatic trip planning
http://www.algorithm.co.il/blogs/
--------------------------------------
-- insert signature here ----
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20100117/dba217d0/attachment.htm
More information about the funsec
mailing list