lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 12 Aug 2010 13:17:34 -0700
From: ghost <ghosts@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Re: Facebook name extraction based on email/wrong
 password + POC

The great thing about these threads is you can killfile anybody in
them and know you'll never miss anything useful.

Please keep it going.



On Thu, Aug 12, 2010 at 7:00 AM, Zerial. <fernando@...ial.org> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> This bug appears in a spanish security news site:
>
>
> http://blog.segu-info.com.ar/2010/08/error-en-facebook-permite-extraer.html
>
> probably it was reported by someone
>
> cheers
>
>
>
>
>
>
> On 08/11/10 23:13, werew01f wrote:
>> Don't seems to work on my system. No user name or picture was displayed.
>>
>>
>> On Wed, Aug 11, 2010 at 5:01 PM, Atul Agarwal <atul@...fence.com
>> <mailto:atul@...fence.com>> wrote:
>>
>>     Hello all,
>>
>>     Sometime back, I noticed a strange problem with Facebook, I had
>>     accidentally entered wrong password in Facebook, and it showed my
>>     first and last name with profile picture, along with the password
>>     incorrect message. I thought that the fact that it was showing the
>>     name had something to do with cookies stored, so I tried other email
>>     id's, and it was the same. I wondered over the possibilities, and
>>     wrote a POC tool to test it.
>>
>>     This script extracts the First and Last Name (provided by the users
>>     when they sign up for Facebook). Facebook is kind enough to return
>>     the name even if the supplied email/password combination is wrong.
>>     Further more,it also gives out the profile picture (this script does
>>     not harvest it, but its easy to add that too). Facebook users have
>>     no control over this, as this works even when you have set all
>>     privacy settings properly. Harvesting this data is very easy, as it
>>     can be easily bypassed by using a bunch of proxies.
>>
>>     As Facebook is so popular, some implications -
>>
>>     1) Someone has a list of email address that he has no clue about. He
>>     can feed them to Facebook one by one (or in a list, using a script
>>     like this) and chances are that he'll get more than 50% hits. Useful
>>     for phishing attacks (People will get more convinced when they see
>>     their *real* names).
>>
>>     2) One can generate random email addresses, and *verify* their
>>     existence . Hint: You can generate emails using (common names + a
>>     corporate domain), and check them against Facebook. Might come handy
>>     in a Pentest.
>>
>>     Rest is only left up to one's imagination.
>>
>>     Find the POC script attached.
>>
>>     PS: I did not report this, as I am unsure on what to call it, a
>>     "bug", "vuln" or a "feature".
>>
>>     Thanks,
>>     Atul Agarwal
>>     Secfence Technologies
>>     www.secfence.com <http://www.secfence.com>
>>
>>     _______________________________________________
>>     Full-Disclosure - We believe in it.
>>     Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>>     Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
> - --
> Zerial
> Seguridad Informatica
> Blog: http://blog.zerial.org
> Skype: erzerial
> Jabber: zerial@...beres.org
> GTalk: fernando@...ial.org
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.10 (GNU/Linux)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
>
> iEYEARECAAYFAkxj/oYACgkQIP17Kywx9JQRwgCfZCloGsZGESiYer3KXJ256Ahv
> v+gAnjAgODKzFw5/inB+Q4JwULaX1p5P
> =Rbq1
> -----END PGP SIGNATURE-----
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ