Hello, welcome to the Tuesday, September 20th, 2016 edition of the Sandson and Storm Center's

Stormcast. My name is Johannes Ulrich, and the day I'm recording from Baltimore, Maryland.

Aaron Sirish Kumar, a researcher, identified an interesting vulnerability in Facebook as part of Facebook's

Buck Bounty. This vulnerability would have allowed any use vulnerability in Facebook as part of Facebook's bug bounty.

This vulnerability would have allowed any user to take over any Facebook page.

A Facebook page is something typically businesses set up for their locations.

And the way they work is that these businesses can now assign some privileges

to a partner.

The way you would exploit this problem is that you set up your own page, you send a request

that would give access to your page to a partner but then you actually manipulate the requests

and you swap out your page ID for the victim's page ID which will then allow assign

privileges to the victim's page ID instead of to your own. So pretty standard direct object reference.

The request was not sufficiently authenticated.

Something we talk about in our web application security class for quite a bit.

And this is yet another example of such a vulnerability.

As usual, Facebook was very quick in patching this vulnerability and did pay out a nice

bug bounty.

Now, sticking with web applications, well, at least sort of, and reporting vulnerabilities

here for a moment, we do have another researchers that reported an interesting weakness in how exchange

auto discovery works.

Essentially, exchange auto discovery if you do add a new exchange account to a client.

This exchange client will then try to auto discover the settings

...