| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Fri, 1 Oct 2010 14:38:36 -0400
From: Nathan Whitmore <nathanww@...il.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Facebook Places private information leak
SUMMARY
A vulnerability was discovered in Facebook Places that could be exploited to
divulge a user's location even if the user has restricted their location
information to “only friends” or “only me”, as long as the “make me visible
in people here now” option is enabled
HISTORY
Vulnerability discovered:August 25, 2010
Vulnerability resolved:September 30, 2010(See details below)
IMPACT
Facebook has addressed the particular proof-of-concept for this
vulnerability by enhancing anti-scraping protection and and changing the
format in which data for the “people here now” view is transmitted to a
requester. However, the presence of this feature at all opens an “analog
hole” which means that a similar attack with a more sophisticated scraping
system is still theoretically possible.
DESCRIPTION
The problem occurs because Places did not properly anticipate the
consequences of rapid automatic checkins and geolocation spoofing. An
automatic “scraper” program could emulate an iPhone web browser, transmit a
faked geolocation response, and obtain the list of people at the specified
location. By querying each location in a latitude/longitude grid, an
attacker could create a database of the locations of all checkins within the
grid, and map movement of users by collecting multiple “frames” of data over
time
This could allow an attacker to:
-
Stalk a user by creating a database of all checkins within a given area,
then querying the database to obtain semi-real-time and historical data on
the user's checkins
-
Identify potential victims for robbery or vandalism by identifying users
who are a significant distance from their home(similar to pleaserobme.com
)
-
Collect aggregate data for sociological or basic demographic research
-
Compile a database of check-ins in a geographically wide set of “regions
of interest”(gambling sites, bars, etc) and determine whether a given person
had ever checked in at any of the monitored locations
Using this vulnerability, an attacker could not:
-
Obtain a user's location if they are not visible in “people here now”
-
Obtain a user's location without them manually checking in
-
Identify precisely how much time has elapsed since a user checked in at a
location(although an estimate can be calculated if multiple “frames” are
taken)
It is also important to note that while creating a “comprehensive database”
of all checkins in all the locations in a large area requires a substantial
amount of time, many of these attacks do not require such a database. In
scanning for potential robbery victims, for instance, an attacker need not
scan an entire city, but merely acquire a list of a substantial number of
people who are away from their homes.
In addition, any of these attacks would be trivial to parallelize across
machines owned by accomplices, or infected by a botnet, by the simple
expedient of assigning each machine a specific lat/long range to scan.
CREDIT
Discovered by Nathan Whitmore
--
Any technology distinguishable from magic is insufficiently advanced
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists