| ||Facebook – Private Image – No Authentication Required to View|
6 points by FBSecuritySux on Dec 18, 2016 | hide | past | web | favorite | 9 comments |
|What's funny is Facebook -> has a publically faced image server that has NO authentication required to see even private messages. When FB Security was contacted ... they say it was not a "guessable" URL, ergo security through obscurity was their "security method" of choice. This was two days ago.
If anyone wants to test this theory - setup 2 FB accounts, message an image one FB account to the other. Click on the image with the second account (to bring up the lightbox custom thingy they have). Drag that image into notepad (to get the URL)... then try and logout of both accounts, clear your cache, and you'll see the image is COMPLETELY public -> meaning no authentication is required.|
They refused to acknowledge this as a "security risk". I laughed, then was really pissed that a PRIVATE image shared between two parties can be viewed w/o authentication above it.
Applications are open for YC Summer 2019
| Apply to YC