Date: Mon, 5 Aug 2013 20:41:38 -0700 (PDT)
From: Bhavesh Naik <bhavesh_shouts@...oo.com>
To: "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Facebook allows disclosure of friends list.



Blog post link : http://techielogic.wordpress.com/2013/08/04/facebooks-friends-list-disclosure-vulnerability/
Affected application: facebook.com
Impact: Access to friends list, by bypassing the privacy settings
Author: Bhavesh Naik


It was JULY 17, 2013 when I discovered this little loophole and I 
submitted the vulnerability to facebook but then I wasn't on the 'Hall 
of Fame' and neither did I receive any sort of 
recognition, since I was told they are aware of such scenarios.
Well without wasting much time, I will start with the PoC.
Note : Prior to this you should know your friends email address.
The following screenshot is the victims (your friend) privacy setting , it shows that nobody is allowed to see the friends list:

Now the attack, visit http://facebook.com and select "Forgot your password?"
There you will be prompted to enter the email address. Enter the victims email ID:

You will see the following page:

You will be prompted to enter a new email address. Enter any email ID not associated to facebook.

Press 'Continue'. You will be asked as to how you want to recover your account.

Click on 'Recover your account with help from friends'

VOILA ! You see the friends list :D

I was wondering, "What is the use of such privacy setting when it can be bypassed by abuse of other functionality?".
Status: Unfixed.
Reported: Yes

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists