Full Disclosure: Another minor facebook security flaw

[James Fife <theriverfife () yahoo com>]

I noticed a recent flaw in Facebooks security resolution process recently. After being asked to confirm my identity 
simply because I was using a different computer, I apparently took too long to identify my friends in their photos. 
However, I was able to try two more times before being locked out. In which case Facebook provided the exact same 
photos with the same selection of people to name in order to confirm my identity. What this means is that I could 
conceivably attempt to logon to a victims Facebook account from an unauthorized device to get such a prompt, and then 
take my time to research the answers.Twenty minutes was the approximate time before my session expired, which gives 
roughly one hour to come up with the answers. This may not seem terribly difficult given the proclivity with which 
people tag their friends or publish photos on blogs. It would be even easier if the victim and attacker had a mutual 
friend in common on Facebook, as they
 would likely be able to see a lot more photos. In fact, perhaps even searching each name in Facebook could show the 
face, which would allow for the questions to be answered correctly.This isn’t a minor flaw in any sense of the word, 
however it does seem quite possibly that the process as it is now implemented could be abused in conjunction with other 
vulnerabilities to gain access to someone’s account. I hope that at the least this will foster some interesting 
discussion on why what I have described is a non issue, or result in a fix.
Taken from : http://allthatiswrong.wordpress.com/2011/09/19/another-minor-facebook-security-issue/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/