| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 6 Aug 2013 10:39:57 -0500
From: adam <adam@...sy.net>
To: Alex <fd@...oo.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Facebook allows disclosure of friends list.
I never saw the message from David Mah, but he's correct about the IP
thing. If X account has ever logged in from your IP, you can use things
like the phone number to recover the account. But for obvious reasons, the
phone number typically doesn't seem to work otherwise, so this supports the
IP-history theory.
On Tue, Aug 6, 2013 at 10:36 AM, Alex <fd@...oo.de> wrote:
> **
>
> Same here, it seems to differ
>
> a) if phone is registered to facebook (maybe they send a code to it)
>
> b) if gmail is available
>
> My testaccount said "it cannot recover my data". Another account went to
> the new email window, but had no option to chose the "friends" way.
>
> But the <username>@facebook.com worked.
>
>
>
> Am 2013-08-06 17:27, schrieb David Mah:
>
> Noting that I tried it myself just now had different results, and I'm not
> sure if this is exploitable as easily as it originally seemed to be.
>
>
> At his third image, the one that gives the three options 'google account',
> 'email', or 'smartphone', I clicked Continue. Instead of the page that he
> showed, I got a page that sent me straight to gmail to reset my password.
> Based on his image though, I dropped
> https://www.facebook.com/recover/extended into the URL and got the
> interface that he described which let me see my entire friend's list.
>
>
> Then I tried to access a friend of mine's account, and got a different
> interface. There were three links to email providers citing "follow one of
> the links below to learn how to reset your email password with major email
> providers", and a "I Cannot Access My Email" button. Clicking that, I got a
> page at https://www.facebook.com/recover/extended/ineligible, which says:
>
>
>> "We're sorry you're having trouble recovering your email address.
>> Unfortunately, this means we can't verify who you are or give you access to
>> the Facebook account you're trying to log into. We may hide the information
>> on your Facebook account if we detect that you cannot regain access to it"
>
>
> This was in a private browser session, so no cookies for facebook existed
> (also in firefox, which I don't normally use anyway).
>
> My speculation on this is that facebook keeps track of IPs that you
> commonly log in from. If you are trying to recover your account from one of
> said IPs, then it will give you an easier account recovery process.
>
> David
>
> On Tue, Aug 6, 2013 at 7:51 AM, Alex <fd@...oo.de> wrote:
>
>> Nice finding, but how do you know the victims email address?
>>
>>
>>
>> Am 2013-08-06 05:41, schrieb Bhavesh Naik:
>>
>> * *
>> *Blog post link :
>> http://techielogic.wordpress.com/2013/08/04/facebooks-friends-list-disclosure-vulnerability/
>> *
>> * *
>> *Affected application: facebook.com
>> Impact: Access to friends list, by bypassing the privacy settings
>> Author: Bhavesh Naik
>>
>> *
>> It was JULY 17, 2013 when I discovered this little loophole and I
>> submitted the vulnerability to facebook but then I wasn't on the 'Hall of
>> Fame' and neither did I receive any sort of recognition, since I was told
>> they are aware of such scenarios.
>> Well without wasting much time, I will start with the PoC.
>> *Note : Prior to this you should know your friends email address.*
>> The following screenshot is the victims (your friend) privacy setting ,
>> it shows that nobody is allowed to see the friends list:
>> [image: fb1] <http://techielogic.files.wordpress.com/2013/08/fb1.png>
>> Now the attack, visit http://facebook.com and select "Forgot your
>> password?"
>> There you will be prompted to enter the email address. Enter the victims
>> email ID:
>> [image: fb2] <http://techielogic.files.wordpress.com/2013/08/fb2.png>
>> You will see the following page:
>> [image: fb3] <http://techielogic.files.wordpress.com/2013/08/fb3.png>
>> You will be prompted to enter a new email address. Enter any email ID not
>> associated to facebook.
>> [image: fb4] <http://techielogic.files.wordpress.com/2013/08/fb4.png>
>> Press 'Continue'. You will be asked as to how you want to recover your
>> account.
>> [image: fb5] <http://techielogic.files.wordpress.com/2013/08/fb51.png>
>> Click on 'Recover your account with help from friends'
>> [image: fb6] <http://techielogic.files.wordpress.com/2013/08/fb6.png>
>> VOILA ! You see the friends list :D
>> [image: fb7] <http://techielogic.files.wordpress.com/2013/08/fb7.png>
>> I was wondering, "What is the use of such privacy setting when it can be
>> bypassed by abuse of other functionality?".
>> Status: Unfixed.
>> Reported: Yes
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>>
>>
>>
>> _______________________________________________
>> Full-Disclosure - We believe in it.
>> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
>> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
Content of type "text/html" skipped
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists