|
-
May 7th, 2007, 10:11 PM
#7
 Originally Posted by nihil
A large part of the problem seems to be where the service does not recognise the user logging out, so the session remains open until some magic housekeeping process takes place 
In my opinion it is a fundamental session management issue, and is not restricted to FaceBook by any means.
Facebook now properly destroys sessions, so that has been taken care of. I went to work and noticed that flickr also suffers from sessions stealing. Their hashing algorithm computes the same session key each time. The result is that if you gain access to a single packet containing a logged in user's session key, you can always log in as that user. My paper was about how Web 2.0 companies do not place emphasis on security and privacy, and choose to focus on incorporating new features. A malicious user can completely wipe out an innocent user's flickr account, or destroy a user's facebook profile or picture database. I really think companies need to do something about this. Sessions need to be made much more secure by storing unique information on the client side as well as the server side.
Support your right to arm bears.
^^This was the first video game which i played on an old win3.1 box 
Similar Threads
-
By n01100110 in forum Newbie Security Questions
Replies: 4
Last Post: October 6th, 2005, 04:26 PM
-
By santoshp in forum Newbie Security Questions
Replies: 17
Last Post: April 30th, 2003, 09:13 PM
-
By tampabay420 in forum Miscellaneous Security Discussions
Replies: 4
Last Post: February 4th, 2003, 09:27 PM
-
By new b in forum Newbie Security Questions
Replies: 7
Last Post: February 5th, 2002, 07:00 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote