
Hacking Facebook’s Legacy API, Part 2: Stealing User Sessions - ssclafani
http://stephensclafani.com/2014/07/29/hacking-facebooks-legacy-api-part-2-stealing-user-sessions/
======
nmjohn
This should serve as a reminder to developers, GET requests should only be
returning information, not writing information.

With an IMG tag it's trivial to get any user to execute any GET request the
attacker wants, and that was critical in this exploit for binding a specified
token to a users account.

~~~
bkrausz
In the desktop case this didn't actually matter... The attacker could have
just as easily made a POST form with hidden fields that it then submitted to
FB. Requiring POSTs for write-based end points is a good start, but there's a
ton more necessary to keep API endpoints safe.

------
e12e
What a great writeup! I'm always uneasy about web and rest security, because
of the number of serious issues found in production apps that have huge
engineering resources behind them. It's nice to see examples like this that
show that the good old enemies of security are still a large factor:
complexity, convenience and features/feature creep (often driven by convience
leading to complexity).

Nice, because the article clearly shows how a more conservative approach would
have avoided these issues. So with a more limited scope it should be possible
to avoid these issues, even with limited resources :)

------
eyeareque
Nice work, and great write up.

Mobile website security issues are often overlooked, but are a great place to
look when pentesting.

------
spacefight
A fair bounty considering the found bugs (20k). Have you considered donating
part of it to charities or similar, e.g. the EFF?

~~~
ben336
Do you ask everyone you meet on the internet if they've thought about donating
some of their income to charity? He's a security researcher, this is a part of
how they make a living.

