lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 11 Aug 2010 11:43:31 -0300
From: Javier Bassi <javierbassi@...il.com>
To: atul@...fence.com
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Facebook name extraction based on email/wrong
	password + POC

Uploading an address book will check the privacy settings of each contacts
and it will not display contacts that have chosen not to appear in facebook
search results.
It's the same that searching for the email directly on the seach box:
http://www.facebook.com/search/?q=bob@something.com

As said by Atul, when email is valid and password is not, it does not check
the privacy settings and displays profile pic+name, so this is a bug.

On Wed, Aug 11, 2010 at 11:20 AM, Atul Agarwal <atul@...fence.com> wrote:

> Never encountered that, nevertheless excellent find!
>
> Would check it and would incorporate that in the script!
>
> Thanks,
> Atul Agarwal
> Secfence Technologies
> www.secfence.com
>
>
>
> On Wed, Aug 11, 2010 at 7:41 PM, Kevin Connolly <bugtwak@...il.com> wrote:
>
>> It gets better. If you enter an e-mail address that is close but not
>> exactly right then Facebook will "correct it for you"
>>
>> <<<
>> Fixed Misspelling
>>
>> It looks like you entered a slight misspelling of your email or username.
>> Please re-enter your password. >>>
>>
>>
>> and it displays the "corrected" e-mail address in the login box :-)
>>
>>
>>
>> On Wed, Aug 11, 2010 at 10:01 AM, Atul Agarwal <atul@...fence.com> wrote:
>>
>>>  Hello all,
>>>
>>> Sometime back, I noticed a strange problem with Facebook, I had
>>> accidentally entered wrong password in Facebook, and it showed my first and
>>> last name with profile picture, along with the password incorrect message. I
>>> thought that the fact that it was showing the name had something to do with
>>> cookies stored, so I tried other email id's, and it was the same. I wondered
>>> over the possibilities, and wrote a POC tool to test it.
>>>
>>> This script extracts the First and Last Name (provided by the users when
>>> they sign up for Facebook). Facebook is kind enough to return the name even
>>> if the supplied email/password combination is wrong. Further more,it also
>>> gives out the profile picture (this script does not harvest it, but its easy
>>> to add that too). Facebook users have no control over this, as this works
>>> even when you have set all privacy settings properly. Harvesting this data
>>> is very easy, as it can be easily bypassed by using a bunch of proxies.
>>>
>>> As Facebook is so popular, some implications -
>>>
>>> 1) Someone has a list of email address that he has no clue about. He can
>>> feed them to Facebook one by one (or in a list, using a script like this)
>>> and chances are that he'll get more than 50% hits. Useful for phishing
>>> attacks (People will get more convinced when they see their *real* names).
>>>
>>> 2) One can generate random email addresses, and *verify* their existence
>>> . Hint: You can generate emails using (common names + a corporate domain),
>>> and check them against Facebook. Might come handy in a Pentest.
>>>
>>> Rest is only left up to one's imagination.
>>>
>>> Find the POC script attached.
>>>
>>> PS: I did not report this, as I am unsure on what to call it, a "bug",
>>> "vuln" or a "feature".
>>>
>>> Thanks,
>>> Atul Agarwal
>>> Secfence Technologies
>>> www.secfence.com
>>>
>>> _______________________________________________
>>> Full-Disclosure - We believe in it.
>>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>> Hosted and sponsored by Secunia - http://secunia.com/
>>>
>>
>>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ