david wong

Hey! I'm David, cofounder of zkSecurity and the author of the Real-World Cryptography book. I was previously a crypto architect at O(1) Labs (working on the Mina cryptocurrency), before that I was the security lead for Diem (formerly Libra) at Novi (Facebook), and a security consultant for the Cryptography Services of NCC Group. This is my blog about cryptography and security and other related topics that I find interesting.

[facebook bug bounty] Reading local files from facebook posted December 2014

Josip Franjković found a vulnerability in one of the file uploader of facebook.

He described what he did here

basically he uploaded a zipped file of a symbolic link to /etc/passwd

ln -s /etc/passwd link
zip --symlinks test.zip link

And since uploaders are always a mess to secure. Facebook just replied displaying the content of what he thought was the unzipped resume.

Well done! You've reached the end of my post. Now you can leave a comment or read something else.


leave a comment...