CVE for service vulnerabilities

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

CVE for service vulnerabilities

Art Manion
I'll claim this as an argument in favor of CVE IDs for service/single-instance sofware vulnerabilities:

https://arstechnica.com/information-technology/2018/09/50-million-facebook-accounts-breached-by-an-access-token-harvesting-attack/

> "This was the result of three distinct bugs," said Guy Rosen,
> Facebook’s vice president of product management. "The first bug was
> that when using the 'view as' function, the video uploader shouldn't
> have showed up at all." But for certain types of posts on users'
> timelines, such as prompts to post happy birthday greetings, the
> video uploader function was shown as active. The second bug was that
> when activated, the video uploader was generating a single sign-on
> token—a behavior that Rosen said was incorrect. And the third bug was
> that in the creation of that token, it was using the identity of the
> person the user was viewing the page as—not the user's.

There's a need for lots of people to talk about this, and it will probably end up as "those FB SSO token bugs from 2018."  Cataloging/naming/enumerating/identification is an end all by itself.

 - Art