An observation on Facebook security

What's that Google Chrome? You say stuff on this page isn't all secure? If that's true, I've got some requests going through in plaintext. Requests with my session cookie in them. Facebook couldn't be so sloppy, I've gotta consult with my buddy Wireshark. BRB

Well hello there little fella. Facebook is transmitting unsecured images on secure pages.

Well wow. That just happened. Uh, facebook, it's getting kinda akward, I think I'm gonna call it a night.

Just out of curiousity, I wonder what image that was...

F... Flixter? Of course! The Facebook apps! The weakest security point on Facebook! Checking the other images, sure enough, they are third party Facebook app icons.

Mwahahaha, I have found a huge hole in Facebook. I can see it now, someone will write a Facebook "virus" that collects cookies through malicious images, and automatically connects to sessions server-side and harvests accounts by the millions.

Hey wait. I'm back at the home screen of www.new.facebook.com, and I'm not even in HTTPS mode.

Oh.

The entire new facebook is completely unsecured. They aren't even trying. Dorm kids are probably already hijacking eachothers' accounts as we speak, in fact, they're so over it by now.


The lesson of the day: If you never try, you can never fail!
that or you always fail...


26 Sep 08 | +Permalink+ | Comments (0)