undefined | Better HN

0 pointswamatt13y ago0 comments

Thanks for that. Not super worried about people knowing my location or games I played :p

However, this is of interest:

>and in some cases (which affected millions of users) completely take over Twitter and Facebook accounts

How is that possible? Are we going to see mass defacements/malware links or other bad stuff on Twitter and Facebook as a result?

Also what is meant by 'take over'? Surely it doesn't mean from a UDID alone, a hacker could log into that associated account with full permissions?

I'm assuming any scripted attack would only have the permissions that any other FB/Twitter app has, and could be blocked in App settings if it started doing 'bad stuff'?

0 comments

cortesi13y ago

I found vulnerabilities in two social gaming networks that let you take control of people's Facebook and Twitter accounts using _just_ the UDID. I never published the details of these vulnerabilities, but you can find an official acknowledgement from at least one of these companies (Chillingo of Angry Birds fame) in this WSJ piece:

http://blogs.wsj.com/digits/2011/09/19/privacy-risk-found-on...

samfoo13y ago

By "Take control of..." you mean "act with the permissions of the app", I assume? I can't see how Angry Birds the app would ever have full control over my Facebook account unless there's a catastrophic vuln. in the Facebook API.

TylerE13y ago

Angry Birds was made by Rovio, not Chillingo.

Chillingo is a publisher of 3rd rate knockoffs.

cortesi13y ago

Chillingo is the publisher of the original Angry Birds, and it's their social network (which is integrated with Angry Birds and therefore on millions of devices) that had the vulnerability.

j / k navigate · click thread line to collapse

0 pointswamatt13y ago0 comments

Thanks for that. Not super worried about people knowing my location or games I played :p

However, this is of interest:

>and in some cases (which affected millions of users) completely take over Twitter and Facebook accounts

How is that possible? Are we going to see mass defacements/malware links or other bad stuff on Twitter and Facebook as a result?

Also what is meant by 'take over'? Surely it doesn't mean from a UDID alone, a hacker could log into that associated account with full permissions?

I'm assuming any scripted attack would only have the permissions that any other FB/Twitter app has, and could be blocked in App settings if it started doing 'bad stuff'?

0 comments

cortesi13y ago

http://blogs.wsj.com/digits/2011/09/19/privacy-risk-found-on...

samfoo13y ago

TylerE13y ago

Angry Birds was made by Rovio, not Chillingo.

Chillingo is a publisher of 3rd rate knockoffs.

cortesi13y ago

Chillingo is the publisher of the original Angry Birds, and it's their social network (which is integrated with Angry Birds and therefore on millions of devices) that had the vulnerability.

j / k navigate · click thread line to collapse