Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: A damn aweful facebook DOS
From: Bacon Zombie <baconzombie () gmail com>
Date: Fri, 9 Nov 2012 16:41:57 +0000

There seem to be a hard limit via the main website interface but I
have not check modifying the post or using another means { raw, API,
Facebook App, etc}.

"Status updates must be less than 63,206 characters. You have entered
73,979 characters here. Notes can be much longer. Would you like to
edit and post your update as a Note instead?"

Regards,

--
ฤ๊๊๊๊๊็็็็็๊๊๊๊๊็็็็
ฮ้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้
ฦ้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้

BaconZombie

LOAD "*",8,1

On 9 November 2012 15:31, Chris C. Russo <chris () calciumsec com> wrote:
On 09/11/2012 11:29 a.m., Bill Weiss wrote:
Chris C. Russo(chris () calciumsec com)@Thu, Nov 08, 2012 at 04:28:33AM -0300:
Good news everyone!

The last time I reported a security flaw to facebook, it took around 6
weeks until they replied,
telling me that there was no flaw at all. Perhaps that's why I decided
to make public any flaw on facebook from now on.
[cut some technical details for readability]
(Properly replace the <EXTREMLY LONG MESSAGE HERE> before testing)

This might not be the best vulnerability description ever,
but I hope it helps solving the condition as soon as possible. Have fun.
What length of EXTREMELY LONG MESSAGE were you using in testing?  1K
bytes, 1M, 1G?


I couldn't tell, I started up with 1,000 chars and increased 1,000 by
1,000 until 100,000 with parallel connections. But certainly, even if
you only full the text input using the regular UI from facebook, you'll
crash any regular box, or tablet.
Perhaps you should try with 1 Gb tho and see what happens, there's test
users you can create from the facebook.com/whitehat.

--
Success, *forward, quick.* Chris C. Russo

Más de 100,000 Km recorridos, conservo direcciones, presiono con
ambición, avanzo con delicadeza, flexibilizo para alcanzar, creo
escenarios, cambio realidades.

w: www.calciumsec.com
e: chris () calciumsec com

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



-- 
ฤ๊๊๊๊๊็็็็็๊๊๊๊๊็็็็
ฮ้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้้
ฦ้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้้้็็็็็้้้้้้้้็็็็็้้้

BaconZombie

LOAD "*",8,1
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]