[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-disclosure] Facebook allows disclosure of friends list.

To: full-disclosure@xxxxxxxxxxxxxxxxx
Subject: Re: [Full-disclosure] Facebook allows disclosure of friends list.
From: Alex <fd@xxxxxxxx>
Date: Tue, 06 Aug 2013 16:51:39 +0200


Nice finding, but how do you know the victims email address? 

Am 2013-08-06 05:41, schrieb Bhavesh Naik: 

>   
> BLOG POST LINK : 
> _HTTP://TECHIELOGIC.WORDPRESS.COM/2013/08/04/FACEBOOKS-FRIENDS-LIST-DISCLOSURE-VULNERABILITY/
>  [3]_ 
>   Affected application: facebook.com
> Impact: Access to friends list, by bypassing the privacy settings
> Author: Bhavesh Naik
> 
> It was JULY 17, 2013 when I discovered this little loophole and I submitted 
> the vulnerability to facebook but then I wasn't on the 'Hall of Fame' and 
> neither did I receive any sort of recognition, since I was told they are 
> aware of such scenarios. 
> Well without wasting much time, I will start with the PoC. 
> _Note : Prior to this you should know your friends email address._ 
> The following screenshot is the victims (your friend) privacy setting , it 
> shows that nobody is allowed to see the friends list: 
> [4] 
> Now the attack, visit http://facebook.com [5] and select "Forgot your 
> password?" 
> There you will be prompted to enter the email address. Enter the victims 
> email ID: 
> [6] 
> You will see the following page: 
> [7] 
> You will be prompted to enter a new email address. Enter any email ID not 
> associated to facebook. 
> [8] 
> Press 'Continue'. You will be asked as to how you want to recover your 
> account. 
> [9] 
> Click on 'Recover your account with help from friends' 
> [10] 
> VOILA ! You see the friends list :D 
> [11] 
> I was wondering, "What is the use of such privacy setting when it can be 
> bypassed by abuse of other functionality?". 
> Status: Unfixed. 
> Reported: Yes 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1]
> Hosted and sponsored by Secunia - http://secunia.com/ [2]



Links:
------
[1] http://lists.grok.org.uk/full-disclosure-charter.html
[2] http://secunia.com/
[3]
http://techielogic.wordpress.com/2013/08/04/facebooks-friends-list-disclosure-vulnerability/
[4] http://techielogic.files.wordpress.com/2013/08/fb1.png
[5] http://facebook.com/
[6] http://techielogic.files.wordpress.com/2013/08/fb2.png
[7] http://techielogic.files.wordpress.com/2013/08/fb3.png
[8] http://techielogic.files.wordpress.com/2013/08/fb4.png
[9] http://techielogic.files.wordpress.com/2013/08/fb51.png
[10] http://techielogic.files.wordpress.com/2013/08/fb6.png
[11] http://techielogic.files.wordpress.com/2013/08/fb7.png

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Follow-Ups:
- Re: [Full-disclosure] Facebook allows disclosure of friends list.
  - From: Valdis . Kletnieks
- Re: [Full-disclosure] Facebook allows disclosure of friends list.
  - From: David Mah

References:
- [Full-disclosure] Facebook allows disclosure of friends list.
  - From: Bhavesh Naik

Prev by Date: [Full-disclosure] [ MDVSA-2013:209 ] subversion
Next by Date: Re: [Full-disclosure] Facebook allows disclosure of friends list.
Previous by thread: [Full-disclosure] Facebook allows disclosure of friends list.
Next by thread: Re: [Full-disclosure] Facebook allows disclosure of friends list.
Index(es):
- Date
- Thread