All your Facebook Access Tokens are belong to us (attack-secure.com) 24 points by mikeevans 12y ago ↗ HN
[–] patmcguire 12y ago ↗ Can anyone get to the article? [–] hfreire 12y ago ↗ Nope. [–] mikeevans 12y ago ↗ Overview which links to the original post can be found here: http://threatpost.com/facebook-android-flaws-enable-any-app-... [–] thefreeman 12y ago ↗ worked for me. tldr: Facebook apps were leaking the access token via the android log cat which is accessible from any app installed on your device. [–] CaveTech 12y ago ↗ AFAIK this has been a problem for well over 2 years now. [–] JosephRedfern 12y ago ↗ AFAIK since Android 4.1 the READ_LOGS permission (needed for an app to be able to access logcat output) can no longer be granted to a 3rd party application... of course, there are going to be lots of devices out there running Android < 4.1. [–] jt2190 12y ago ↗ Is this it?http://webcache.googleusercontent.com/search?q=cache:F0k-GBb...
[–] mikeevans 12y ago ↗ Overview which links to the original post can be found here: http://threatpost.com/facebook-android-flaws-enable-any-app-...
[–] thefreeman 12y ago ↗ worked for me. tldr: Facebook apps were leaking the access token via the android log cat which is accessible from any app installed on your device. [–] CaveTech 12y ago ↗ AFAIK this has been a problem for well over 2 years now. [–] JosephRedfern 12y ago ↗ AFAIK since Android 4.1 the READ_LOGS permission (needed for an app to be able to access logcat output) can no longer be granted to a 3rd party application... of course, there are going to be lots of devices out there running Android < 4.1.
[–] JosephRedfern 12y ago ↗ AFAIK since Android 4.1 the READ_LOGS permission (needed for an app to be able to access logcat output) can no longer be granted to a 3rd party application... of course, there are going to be lots of devices out there running Android < 4.1.
[–] zaidf 12y ago ↗ We condemn anyone that stores passwords as plaintext. Time to treat access tokens as nothing less than a password. [–] davidkuridza 12y ago ↗ How would you store access tokens on a device, using two-way encryption or do you have something else in mind? [–] zaidf 12y ago ↗ Two way encryption, yep. [–] colinhowe 12y ago ↗ but then for any reasonable application to be able to use them they'll need to store the unencryption key anyway.. [–] tedunangst 12y ago ↗ Obviously you wouldn't store the encryption key in plaintext... [–] paulgb 12y ago ↗ It's encrypted keys all the way down. [–] Zancarius 12y ago ↗ That's easy! We could use two-way encryption to encrypt the encryption key. [–] snarfy 12y ago ↗ What's wrong with 'correct horse battery staple'?
[–] davidkuridza 12y ago ↗ How would you store access tokens on a device, using two-way encryption or do you have something else in mind? [–] zaidf 12y ago ↗ Two way encryption, yep. [–] colinhowe 12y ago ↗ but then for any reasonable application to be able to use them they'll need to store the unencryption key anyway.. [–] tedunangst 12y ago ↗ Obviously you wouldn't store the encryption key in plaintext... [–] paulgb 12y ago ↗ It's encrypted keys all the way down. [–] Zancarius 12y ago ↗ That's easy! We could use two-way encryption to encrypt the encryption key. [–] snarfy 12y ago ↗ What's wrong with 'correct horse battery staple'?
[–] zaidf 12y ago ↗ Two way encryption, yep. [–] colinhowe 12y ago ↗ but then for any reasonable application to be able to use them they'll need to store the unencryption key anyway.. [–] tedunangst 12y ago ↗ Obviously you wouldn't store the encryption key in plaintext... [–] paulgb 12y ago ↗ It's encrypted keys all the way down. [–] Zancarius 12y ago ↗ That's easy! We could use two-way encryption to encrypt the encryption key. [–] snarfy 12y ago ↗ What's wrong with 'correct horse battery staple'?
[–] colinhowe 12y ago ↗ but then for any reasonable application to be able to use them they'll need to store the unencryption key anyway.. [–] tedunangst 12y ago ↗ Obviously you wouldn't store the encryption key in plaintext... [–] paulgb 12y ago ↗ It's encrypted keys all the way down. [–] Zancarius 12y ago ↗ That's easy! We could use two-way encryption to encrypt the encryption key. [–] snarfy 12y ago ↗ What's wrong with 'correct horse battery staple'?
[–] tedunangst 12y ago ↗ Obviously you wouldn't store the encryption key in plaintext... [–] paulgb 12y ago ↗ It's encrypted keys all the way down. [–] Zancarius 12y ago ↗ That's easy! We could use two-way encryption to encrypt the encryption key.
[–] thehme 12y ago ↗ Can't read blog post:Error 520 Ray ID: c513da5e9750697 Web server is returning an unknown errorhttps://support.cloudflare.com/hc/en-us/articles/200171936-E...humm... [–] [dead] mohaab 12y ago ↗ fixed now.
17 comments
[ 2907 ms ] story [ 737 ms ] threadhttp://webcache.googleusercontent.com/search?q=cache:F0k-GBb...
Error 520 Ray ID: c513da5e9750697 Web server is returning an unknown error
https://support.cloudflare.com/hc/en-us/articles/200171936-E...
humm...