You have the well known email addresses of RFC 2142 - secure@,
security@, hostmaster@, webmaster@, etc.
Their WHOIS record shows domainad...@cbsig.net for registration,
administration and technical contacts.
On Tue, Apr 1, 2014 at 1:16 PM, wrote:
> Does anyone have contacts or email addresses f
Hello everyone. I know I just started the new Full Disclosure list, but
it's not working out :(. Everything may seem fine from the outside, but it
has been nonstop grief from here. I'm not just talking about the (normal
and expected) troll posts or all the petty complainers. We've already
gotten
Apparently, this issue was discovered earlier...
http://flagdefenders.blogspot.com/2013/10/facebook-image-privacy-keep-calm-and-be.html
-coderaptor
On Tue, Apr 1, 2014 at 1:23 PM, Ron wrote:
> By that same token, passwords, private keys, and any sort of signatures
> should also be considered an
By that same token, passwords, private keys, and any sort of signatures
should also be considered an issue. Sure, passwords are effectively
security by obscurity, but with enough entropy and the ability to detect
abuses, it's not an issue.
So essentially, it's *maybe* a vulnerability in the academ
Hi,
just a side note: a "non" public profile can be found on some public files.
For example, someone who has restricted its profile for friends only comments
on a fan page of a public product or something like that. In that case you
can't go to the profile itself, thus you won't see a "large" pro
Hey guys,
Please don't turn this into a "Google/YouTube arbitrary file upload"
thread, ok? :)
kthxbye
Andreas
2014-04-01 20:48 GMT+02:00 Willie Gillespie <
wgillespie+fulldisclos...@es2eng.com>:
> You are both right.
>
> * You can get the full resolution copy of the profile picture by modifyi
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Security through obscurity is not security at all; if you are going to
provide ACLs, then you have an ethical obligation to ensure that they
do work regardless of the access path of the file.
Compromising a facebook account and 'leaking' the image URL
I haven't verified, but isn't this how browser plugins like the following
work?
https://chrome.google.com/webstore/detail/photo-zoom-for-facebook/elioihkkcdgakfbahdoddophfngopipi
Haven't tried it myself, but it seems reasonable to think so.
On Tue, Apr 1, 2014 at 11:59 AM, Bipin Gautam wrote:
You are both right.
* You can get the full resolution copy of the profile picture by
modifying the URL in various ways.
* You can easily get the URL of any user's profile picture if you know
their profile URL or user id.
* But all this is because Facebook considers the photo "public
inform
Again they need the URL.
If you have a way to determine the URL of a specific user's profile image from
public info that would be a vulnerability.
Simply the ability for a user or allowed visitor to copy the URL is not.
You can determine who can see the URL in your Facebook privacy settings.
P
Hi,
the POC is about "anyone being able to access anyone's facebook
profile picture in full resolution" + regardless of the ACL set to
their facebook profile picture (say; even when your profile picture
permission of your facebook is set as... viewable to "only me" or
"friends" ) ...anyone can see
This is not a vulnerability.
The image path is not predictable. Sharing the URL is by itself giving
permission for the other party to see it.
Even if it were possible to restrict access it could be circumvented by
downloading it and emailing the file instead of the URL
Philip Whitehouse
Hi List,
I felt like writing / pointing this minor issue, as it as its "Facebook" ...
This issue is due to the way facebook pictures are stored in CDN
without authentication mechanism, during accessing it. (which would be
way technically complicated to implement it)
Also, it is a Facebook featur
Does anyone have contacts or email addresses for security contacts CBS
Sports?
___
Sent through the Full Disclosure mailing list
http://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
On 2014-04-01 10:40, Security Explorations wrote:
We take this opportunity to encourage all customers of Oracle Java Cloud
Service that signed up for the service between Jun 2012 and Jan 2013 in
either US1 or EMEA1...
It looks April Fools' Day is playing with us too...There is some minor,
thou
Hello All,
Security Explorations decided to release technical details and
accompanying Proof of Concept codes for security vulnerabilities
discovered in the environment of Oracle [1] Java Cloud Service
[2]. All relevant materials can be found at the following location:
http://www.security-explo
16 matches
Mail list logo
