lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <1A786F4E3EA4DB48B825D2C0FC639910698A2D97@GTHO-BE-A.TECHNOLOGIES-AD.PARIS.FR>
Date: Thu, 21 Nov 2013 13:51:42 +0000
From: qsrc Quotium <qsrc@...tium.com>
To: "bugtraq@...urityfocus.com" <bugtraq@...urityfocus.com>,
  "full-disclosure@...ts.grok.org.uk" <full-disclosure@...ts.grok.org.uk>
Subject: Facebook Vulnerability Discloses Friends Lists Defined as Private

Facebook Vulnerability Discloses Friends Lists Defined as Private
=================================================

Researchers from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the 'People You May Know' mechanism on Facebook, which is the mechanism by which Facebook suggests new friends to users. 
With attacks being on the rise, Facebook is often targeted by hackers for the information it possesses. Users rely on Facebook to maintain their privacy to the best of Facebook's ability. 

Technical Details
=============
To execute the attack, an attacker needs to create a new user on Facebook, and send a friend request to the victim. The victim declining the request is irrelevant. At this point Facebook begins to suggest to the attacker people he may know, with the option of clicking a 'see all' button for convenience. The people suggested at this point are the friends of the user to whom the attacker sent a friend request, even when the friends list of the victim is set to private, and the other suggested users also have their friends list private. 
For full technical information see www.quotium.com/research/advisories/Facebook_Vulnerability_Discloses_Private_Friends_list.php 

Vendor Response
==============
FB responded that:"If you don't have friends on Facebook and send a friend request to someone who's chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone's complete friend list." However, research of this issue has shown that most of the friends list, often hundreds of friends, is available to the attacker. In any case, even a partial friends list is a violation of user-chosen privacy controls. 
Since this vulnerability renders the privacy control to hide friends lists from other users irrelevant, we hope Facebook will change its mind and this flaw will be addressed. 

Credit
=====
Irene Abezgauz, VP Product Management at Quotium and Seeker Research Center leader is credited with the discovery of this vulnerability. 

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ