[funsec] Facebook Image Privacy
Dan Kaminsky
dan at doxpara.com
Sun Jan 17 13:38:20 CST 2010
On Sun, Jan 17, 2010 at 8:16 PM, Imri Goldberg <lorgandon at gmail.com> wrote:
> On Sun, Jan 17, 2010 at 9:08 PM, Dan Kaminsky <dan at doxpara.com> wrote:
>
>> And a computer that isn't at the bottom of the Mariana Trench ain't
>> secure.
>>
>> Unguessable tokens have a long history of use in our field (CSRF tokens,
>> etc) and having one lock access to an image is relatively legitimate. If
>> there was a way to guess the token, we'd say there was an issue.
>>
>
> I think the difference is how long you expect that token to be kept. The
> link given, afaict, is a permanent one, unlike csrf tokens or various change
> password tokens.
>
>
It's a password to a single asset, which is retrieved in its entirety. If
you allow "omg, somebody could share the link" to be considered a security
hole, then I can see the stories now...
"OMG! Save Picture!"
"OMG! Print Screen!"
"OMG! SOMEBODY COULD TAKE A PHOTO OF THEIR SCREEN!"
:)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://linuxbox.org/pipermail/funsec/attachments/20100117/bf6b25f3/attachment.htm
More information about the funsec
mailing list