Hey! I'm David, cofounder of zkSecurity and the author of the Real-World Cryptography book. I was previously a crypto architect at O(1) Labs (working on the Mina cryptocurrency), before that I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

[facebook bug bounty] Reading local files from facebook posted December 2014

Josip Franjković found a vulnerability in one of the file uploader of facebook.

He described what he did here

basically he uploaded a zipped file of a symbolic link to /etc/passwd

ln -s /etc/passwd link
zip --symlinks test.zip link

And since uploaders are always a mess to secure. Facebook just replied displaying the content of what he thought was the unzipped resume.

Well done! You've reached the end of my post. Now you can leave a comment or read something else.

Here are some random popular articles:

Here are some random recent articles:

Comments

leave a comment...

My book Real-World Cryptography is finished and shipping! You can purchase it here.

If you don't know where to start, you might want to check these popular articles:

Here are the latest links posted:

You can also suggest a link.