lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 6 Aug 2013 08:27:58 -0700
From: David Mah <mahhaha@...il.com>
To: Alex <fd@...oo.de>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Re: Facebook allows disclosure of friends list.

Noting that I tried it myself just now had different results, and I'm not
sure if this is exploitable as easily as it originally seemed to be.


At his third image, the one that gives the three options 'google account',
'email', or 'smartphone', I clicked Continue. Instead of the page that he
showed, I got a page that sent me straight to gmail to reset my password.
Based on his image though, I dropped
https://www.facebook.com/recover/extended into the URL and got the
interface that he described which let me see my entire friend's list.


Then I tried to access a friend of mine's account, and got a different
interface. There were three links to email providers citing "follow one of
the links below to learn how to reset your email password with major email
providers", and a "I Cannot Access My Email" button. Clicking that, I got a
page at https://www.facebook.com/recover/extended/ineligible, which says:

 "We're sorry you're having trouble recovering your email address.
> Unfortunately, this means we can't verify who you are or give you access to
> the Facebook account you're trying to log into. We may hide the information
> on your Facebook account if we detect that you cannot regain access to it"


This was in a private browser session, so no cookies for facebook existed
(also in firefox, which I don't normally use anyway).

My speculation on this is that facebook keeps track of IPs that you
commonly log in from. If you are trying to recover your account from one of
said IPs, then it will give you an easier account recovery process.

David

On Tue, Aug 6, 2013 at 7:51 AM, Alex <fd@...oo.de> wrote:

> **
>
> Nice finding, but how do you know the victims email address?
>
>
>
> Am 2013-08-06 05:41, schrieb Bhavesh Naik:
>
>  * *
> *Blog post link :
> http://techielogic.wordpress.com/2013/08/04/facebooks-friends-list-disclosure-vulnerability/
> *
> * *
> *Affected application: facebook.com
> Impact: Access to friends list, by bypassing the privacy settings
> Author: Bhavesh Naik
>
> *
> It was JULY 17, 2013 when I discovered this little loophole and I
> submitted the vulnerability to facebook but then I wasn't on the 'Hall of
> Fame' and neither did I receive any sort of recognition, since I was told
> they are aware of such scenarios.
> Well without wasting much time, I will start with the PoC.
> *Note : Prior to this you should know your friends email address.*
> The following screenshot is the victims (your friend) privacy setting , it
> shows that nobody is allowed to see the friends list:
> [image: fb1] <http://techielogic.files.wordpress.com/2013/08/fb1.png>
> Now the attack, visit http://facebook.com and select "Forgot your
> password?"
> There you will be prompted to enter the email address. Enter the victims
> email ID:
> [image: fb2] <http://techielogic.files.wordpress.com/2013/08/fb2.png>
> You will see the following page:
> [image: fb3] <http://techielogic.files.wordpress.com/2013/08/fb3.png>
> You will be prompted to enter a new email address. Enter any email ID not
> associated to facebook.
> [image: fb4] <http://techielogic.files.wordpress.com/2013/08/fb4.png>
> Press 'Continue'. You will be asked as to how you want to recover your
> account.
> [image: fb5] <http://techielogic.files.wordpress.com/2013/08/fb51.png>
> Click on 'Recover your account with help from friends'
> [image: fb6] <http://techielogic.files.wordpress.com/2013/08/fb6.png>
> VOILA ! You see the friends list :D
> [image: fb7] <http://techielogic.files.wordpress.com/2013/08/fb7.png>
> I was wondering, "What is the use of such privacy setting when it can be
> bypassed by abuse of other functionality?".
> Status: Unfixed.
> Reported: Yes
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>

Content of type "text/html" skipped

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists