An XSS on Facebook via PNGs & Wonky Content Types - https://fin1te.net/articles/xss-on-facebook-via-png-content-types/ …
@blubbfiction @kkotowicz @mniemietz @fin1te youtube had a similar thing 2y ago, fallback CDN under http://youtube.com
-
-
@blubbfiction@kkotowicz@mniemietz@fin1te CDN let you specify arbitrary Content-Type for A/V files, and cookies leaked to the subdomain -
@blubbfiction@kkotowicz@mniemietz@fin1te but probably a PITA to exploit because you'd need XSS via A/V encoder output
End of conversation
New conversation -
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.