On 13/02/2014 08:42 μμ, Kevin Fenzi wrote: > On Sun, 09 Feb 2014 21:52:38 +0200 > Achilleas Pipinellis <axilleaspi@xxxxxxxxx> wrote: > >> Hello there! >> >> I bumped into a recent post that describes the way someone could get >> access to your account using facebook oauth. According to the >> vulnerability author: >> >>> Every website with "Connect Facebook account and log in with it" is >>> vulnerable to account hijacking. >> >> Source: >> http://homakov.blogspot.gr/2014/01/two-severe-wontfix-vulnerabilities-in.html >> >> Facebook will not fix this anytime soon. Should we disable facebook >> login until this gets resolved? > > So, we discussed this some, and it seems like a pretty complex > vulnerability. Additionally, ask isn't a particularly sensitive > application for us. > > So, we are just going to wait and see right now I think, and if it's > used against us, reevaluate. > > Thanks for bringing it up... I sure hope there's a fix at some point. > > kevin Yeap, I thought so :) I just reported it so that you know it's out there. -- FAS : axilleas GPG : 0xABF99BE5 Blog: http://axilleas.me _______________________________________________ infrastructure mailing list infrastructure@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/infrastructure
