On Sun, 09 Feb 2014 21:52:38 +0200 Achilleas Pipinellis <axilleaspi@xxxxxxxxx> wrote: > Hello there! > > I bumped into a recent post that describes the way someone could get > access to your account using facebook oauth. According to the > vulnerability author: > > > Every website with "Connect Facebook account and log in with it" is > > vulnerable to account hijacking. > > Source: > http://homakov.blogspot.gr/2014/01/two-severe-wontfix-vulnerabilities-in.html > > Facebook will not fix this anytime soon. Should we disable facebook > login until this gets resolved? So, we discussed this some, and it seems like a pretty complex vulnerability. Additionally, ask isn't a particularly sensitive application for us. So, we are just going to wait and see right now I think, and if it's used against us, reevaluate. Thanks for bringing it up... I sure hope there's a fix at some point. kevin
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
