[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <AANLkTikNHPK9fSe2JLWC_11JNFGQ3si0D0OTX6jgxFY=@mail.gmail.com>
Date: Wed, 11 Aug 2010 14:36:03 +0530
From: Atul Agarwal <atul@...fence.com>
To: full-disclosure@...ts.grok.org.uk
Subject: Facebook name extraction based on email/wrong
password + POC
Hello all,
Sometime back, I noticed a strange problem with Facebook, I had accidentally
entered wrong password in Facebook, and it showed my first and last name
with profile picture, along with the password incorrect message. I thought
that the fact that it was showing the name had something to do with cookies
stored, so I tried other email id's, and it was the same. I wondered over
the possibilities, and wrote a POC tool to test it.
This script extracts the First and Last Name (provided by the users when
they sign up for Facebook). Facebook is kind enough to return the name even
if the supplied email/password combination is wrong. Further more,it also
gives out the profile picture (this script does not harvest it, but its easy
to add that too). Facebook users have no control over this, as this works
even when you have set all privacy settings properly. Harvesting this data
is very easy, as it can be easily bypassed by using a bunch of proxies.
As Facebook is so popular, some implications -
1) Someone has a list of email address that he has no clue about. He can
feed them to Facebook one by one (or in a list, using a script like this)
and chances are that he'll get more than 50% hits. Useful for phishing
attacks (People will get more convinced when they see their *real* names).
2) One can generate random email addresses, and *verify* their existence .
Hint: You can generate emails using (common names + a corporate domain), and
check them against Facebook. Might come handy in a Pentest.
Rest is only left up to one's imagination.
Find the POC script attached.
PS: I did not report this, as I am unsure on what to call it, a "bug",
"vuln" or a "feature".
Thanks,
Atul Agarwal
Secfence Technologies
www.secfence.com
Content of type "text/html" skipped
Download attachment "fbextract.php" of type "application/octet-stream" (9690 bytes)
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists