When I notified to MSRC that the SessionID checks were too late, they answered that they did not consider it a security issue (as usual). Also if SessionID equals AnonymousID all checks are bypassed too (but you need to be able to alter the token)
-
-
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
-
-
Yep, after filtering everything including SYSTEM but except Everyone as deny-only, removing all privileges, lowering IL to untrusted, you can still query tokens of any session, get an elevated one, and impersonate it. Nice try.
Hvala. Twitter će to iskoristiti za poboljšanje vaše vremenske crte. PoništiPoništi
-
Čini se da učitavanje traje već neko vrijeme.
Twitter je možda preopterećen ili ima kratkotrajnih poteškoća u radu. Pokušajte ponovno ili potražite dodatne informacije u odjeljku Status Twittera.