[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE for service vulnerabilities

I'll claim this as an argument in favor of CVE IDs for 
service/single-instance sofware vulnerabilities:


> "This was the result of three distinct bugs," said Guy Rosen,
> Facebook’s vice president of product management. "The first bug was
> that when using the 'view as' function, the video uploader shouldn't
> have showed up at all." But for certain types of posts on users'
> timelines, such as prompts to post happy birthday greetings, the
> video uploader function was shown as active. The second bug was that
> when activated, the video uploader was generating a single sign-on
> token—a behavior that Rosen said was incorrect. And the third bug was
> that in the creation of that token, it was using the identity of the
> person the user was viewing the page as—not the user's.

There's a need for lots of people to talk about this, and it will 
probably end up as "those FB SSO token bugs from 2018."  
Cataloging/naming/enumerating/identification is an end all by itself.

 - Art

Page Last Updated or Reviewed: October 11, 2018