sticky
Questions waiting for web geeks to answer

    General discussion

  • Our own investigation experience convinces us that finding SSO bugs requires not only logic thinking. Oftentimes, a particular investigation takes you to a set of interesting "webby" questions that you are not able to answer due to your limited knowledge of web technologies. You can post your question here, and hope some web geeks can answer it for you. Good luck!
    Thursday, March 15, 2012 11:33 PM
    Owner

All replies

  • Question: If the Flash already allows cross-domain access, can a Javascript in Bob.com read FlashVars of a Flash in the alice.com? If feasible, can you provide a sample code to do that.

    If this is possible, then we should be able to break alice.com's integration of Facebook Login. Note that we use alice.com to anonymize the real website.


    Rui Wang

    Friday, March 23, 2012 11:10 PM
    Owner
  • Question: we have found that we are able to steal the access_token released by Facebook to a website alice.com. Our question is that what kind of damage can be done by the leakage of access_token alone?

    Rui Wang


    Friday, March 23, 2012 11:13 PM
    Owner
  • Question: Are you aware of any websites which import Facebook’s xd_proxy.php script for its cross-domain communication? Any websites doing that are vulnerable.

    Rui Wang

    Friday, March 23, 2012 11:14 PM
    Owner
  • Question: are you aware of any websites integration Facebook Login have an open redirect bug? Open redirect is often regarded as minor bug. But if it is in a website supporting Facebook Login, it will allow malicious to sign into victim users' accounts.

    Rui Wang

    Friday, March 23, 2012 11:17 PM
    Owner
  • Really interesting question for geeks: when Bob makes Alice’s browser sign onto a website as Bob, can Bob obtain his own session cookie in the browser? If this can be done, as far as we are aware, at least three websites will be vulnerable.

    Rui Wang

    Friday, March 23, 2012 11:19 PM
    Owner