security - Is this a valid way to hack into Facebook applications? (and possibly Facebook)? -

-

  1. Your friend joins Facebook and "remembers me".
  2. Facebook makes a cookie
  3. Your friend goes to the bathroom.
  4. You steal your friend's cookies from your browser and its data.
  5. You go home and make cookies with that data.

Facebook is not affiliated with cookies + IP , then you can access Facebook page. EDIT: True, Facebook does not check for IP.

Now, let's look at Facebook Connect. This is the key

  1. The user "connects" by pushing the button.
  2. Sets a cookie on the Facebook browser, which your app backend reads to determine if the user is certified or not. After this, you associate this FB-cookie-AD with the user in your system.

If your system does not check for IP , then theoretically using cookies allows you to enter the application that uses Facebook Connect. You can then get access to the application,

Is it valid to say that you should check the IP when connecting Facebook to add security level? But if you do this, then some people have commented about IP spoofing.

@ All who say "physical access":

Yes, I agree that the concept of physical access makes this question trivial, though it is a hole about APPLICATION. Should be aware in Of course, the Facebook profile / useless application will not keep much ... but what if the application was a banking system? All I'm saying is that if Citibank or Bank of America has used "Facebook Connect" (which would be stupid but we assume), then this method would prove to be an easy way to access their account.

Therefore, Facebook Connect should not be used with "important" right?

Another option is that, after your friend goes to the bathroom, you can steal your wallet To give bribe to your girlfriend, you have cash in giving your Facebook password, thus, all of the applications that use Facebook Connect are projected.


Comments

Post a Comment

Popular posts from this blog

asp.net - Javascript/DOM Why is does my form not support submit()? -

-
This is my first time working with asp.net and javascript, so I do not know very good web resources, or Much about javascript debugging I have to find out that on line oFormObject.submit (); Microsoft JScript Runtime Error: Object does not support this property or method I am using the link to work as a button because I am terrible in aesthetics and I think That link will look more professional than a table of 50 buttons. I have read that this solution can cause problems with browsers due to pre-rendering of my links and many additional traffic and problems, but CSS gives me a button like a link, which has issues of alignment and difference seemed to. & lt ;! DOCTYPE HTML PUBLIC "- // W3C // DTD HTML 4.01 // N" "http://www.w3.org/TR/html4/strict.dtd"> & Lt; Html xmlns = "http://www.w3.org/1999/xhtml" & gt; & Lt; Head & gt; & Lt; Link rel = "stylesheet" type = "text / css" href = "defect differen
Read more

sockets - Delphi: TTcpServer, connection reset when reading -

-
I am trying to implement one for Delphi, but there are some problems with communication. Fitnesse will start my process, and give me a portmember as a command line argument. Then I should make a socket on the port number given to me, and fitness will connect to that port I am using a TCPCP server for the job: < Pre> TcpServer1.LocalPort: = ParamStr (ParamCount); TcpServer1 Active: = true; On OnEXEPT () -Event, I send the protocol version to use as specified in the protocol. Process TForm1.TcpServer1Accept (From: TOBject; ClientSocket: TCustomIpClient); Var s: ansistring; Start clientSocket. Syndrome ('slim - v 0.0', # 10); SetLength (S, 6); ClientSketts Receavebook (S, 6); End; When I call ReceiveBuf (), the process ends, and fitness throws an exception: java.net.SocketException: connection Reset I have seen what sent and received. It shows that my code sends the protocol version, fitness sends back a message, and when I try to get this message
Read more

javascript - Classic ASP "ExecuteGlobal" statement acting differently on two servers -

-
I have a strange problem that I really do not know. In addition to developing a new ASP.NET site, I have to support the old "classic ASP" site. It is written in VBScript with a batch of JavaScript functions. Many of the JavaScript functions include 'files' Everything is fine on our production system (which security is controlled by another group - this is a military installation) Debugging them once did not work I). However, I have a fix for a vague bug that needs to be fully tested and some functions do not run under the "local" copy of the website that runs on my PC. For the record, I am running IIS 5.1 on XP. The problem is that some Javascript functions are running "OK" on the production server, but when they use it as a server, they are not defined on my PC what is happening that last Programmer, for some reason, has decided to put some functions in a series of files, which according to the observations, imitate the "need_once
Read more