[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CVE for service vulnerabilities



I'll claim this as an argument in favor of CVE IDs for 
service/single-instance sofware vulnerabilities:

https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/

> "This was the result of three distinct bugs," said Guy Rosen,
> Facebook’s vice president of product management. "The first bug was
> that when using the 'view as' function, the video uploader shouldn't
> have showed up at all." But for certain types of posts on users'
> timelines, such as prompts to post happy birthday greetings, the
> video uploader function was shown as active. The second bug was that
> when activated, the video uploader was generating a single sign-on
> token—a behavior that Rosen said was incorrect. And the third bug was
> that in the creation of that token, it was using the identity of the
> person the user was viewing the page as—not the user's.

There's a need for lots of people to talk about this, and it will 
probably end up as "those FB SSO token bugs from 2018."  
Cataloging/naming/enumerating/identification is an end all by itself.

 - Art


Page Last Updated or Reviewed: October 11, 2018