[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] Facebook Vulnerability Discloses Friends Lists Defined as Private

To: "bugtraq@xxxxxxxxxxxxxxxxx" <bugtraq@xxxxxxxxxxxxxxxxx>, "full-disclosure@xxxxxxxxxxxxxxxxx" <full-disclosure@xxxxxxxxxxxxxxxxx>
Subject: [Full-disclosure] Facebook Vulnerability Discloses Friends Lists Defined as Private
From: qsrc Quotium <qsrc@xxxxxxxxxxx>
Date: Thu, 21 Nov 2013 13:51:42 +0000

Facebook Vulnerability Discloses Friends Lists Defined as Private
=================================================

Researchers from the Quotium Seeker Research Center identified a security flaw 
in Facebook privacy controls. The vulnerability allows attackers to see the 
friends list of any user on Facebook. This attack is carried out by abusing the 
'People You May Know' mechanism on Facebook, which is the mechanism by which 
Facebook suggests new friends to users. 
With attacks being on the rise, Facebook is often targeted by hackers for the 
information it possesses. Users rely on Facebook to maintain their privacy to 
the best of Facebook's ability. 

Technical Details
=============
To execute the attack, an attacker needs to create a new user on Facebook, and 
send a friend request to the victim. The victim declining the request is 
irrelevant. At this point Facebook begins to suggest to the attacker people he 
may know, with the option of clicking a 'see all' button for convenience. The 
people suggested at this point are the friends of the user to whom the attacker 
sent a friend request, even when the friends list of the victim is set to 
private, and the other suggested users also have their friends list private. 
For full technical information see 
www.quotium.com/research/advisories/Facebook_Vulnerability_Discloses_Private_Friends_list.php
 

Vendor Response
==============
FB responded that:"If you don't have friends on Facebook and send a friend 
request to someone who's chosen to hide their complete friend list from their 
timeline, you may see some friend suggestions that are also friends of theirs. 
But you have no way of knowing if the suggestions you see represent someone's 
complete friend list." However, research of this issue has shown that most of 
the friends list, often hundreds of friends, is available to the attacker. In 
any case, even a partial friends list is a violation of user-chosen privacy 
controls. 
Since this vulnerability renders the privacy control to hide friends lists from 
other users irrelevant, we hope Facebook will change its mind and this flaw 
will be addressed. 

Credit
=====
Irene Abezgauz, VP Product Management at Quotium and Seeker Research Center 
leader is credited with the discovery of this vulnerability. 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Prev by Date: Re: [Full-disclosure] [Dailydave] Capstone disassembly framework: looking for Beta-testers
Next by Date: Re: [Full-disclosure] Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability
Previous by thread: [Full-disclosure] [ MDVSA-2013:278 ] samba
Next by thread: Re: [Full-disclosure] Imperva WAF/DAF 9.5 patch8 and 10.0 patch 2 localroot vulnerability
Index(es):
- Date
- Thread