[cap-talk] A Massive Confused Deputy on the Web
Toby Murray
toby.murray at comlab.ox.ac.uk
Tue Jun 3 08:37:33 CDT 2008
Further to the recent discussion about the idea that the Confused Deputy
problem has resurfaced in a big way via the web, we see a perfect
example in a recently reported vulnerability that appears to allow
ordinary people to gain access to arbitrary Facebook profiles via a
Yahoo gadget.
http://blogs.securiteam.com/index.php/archives/1100
>From the blog post:
> a myspace API given to Yahoo! exposes the private profiles of Paris
> Hilton and Lindsay Lohan.
It would appear that Yahoo is perhaps one of the more illustrative
confused deputies I've seen yet. Assuming I'm not misinterpreting the
nature of this, this confused deputy leaks a massive amount of authority
to its clients -- making this a huge lapse of POLA.
As if we didn't need more evidence that
a. these vulnerabilities arise all the time -- guarding against them
without unifying designation and authority seems very tricky indeed.
b. they can be quite damaging, in certain cases.
c. Caja+Waterken's ref_send can't come soon enough.
Cheers
Toby
More information about the cap-talk
mailing list