lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 06 Aug 2013 16:51:39 +0200
From: Alex <>
Subject: Re: Facebook allows disclosure of friends list.

Nice finding, but how do you know the victims email address? 

Am 2013-08-06 05:41, schrieb Bhavesh Naik: 

>   Affected application:
> Impact: Access to friends list, by bypassing the privacy settings
> Author: Bhavesh Naik
> It was JULY 17, 2013 when I discovered this little loophole and I submitted the vulnerability to facebook but then I wasn't on the 'Hall of Fame' and neither did I receive any sort of recognition, since I was told they are aware of such scenarios. 
> Well without wasting much time, I will start with the PoC. 
> _Note : Prior to this you should know your friends email address._ 
> The following screenshot is the victims (your friend) privacy setting , it shows that nobody is allowed to see the friends list: 
> [4] 
> Now the attack, visit [5] and select "Forgot your password?" 
> There you will be prompted to enter the email address. Enter the victims email ID: 
> [6] 
> You will see the following page: 
> [7] 
> You will be prompted to enter a new email address. Enter any email ID not associated to facebook. 
> [8] 
> Press 'Continue'. You will be asked as to how you want to recover your account. 
> [9] 
> Click on 'Recover your account with help from friends' 
> [10] 
> VOILA ! You see the friends list :D 
> [11] 
> I was wondering, "What is the use of such privacy setting when it can be bypassed by abuse of other functionality?". 
> Status: Unfixed. 
> Reported: Yes 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: [1]
> Hosted and sponsored by Secunia - [2]


Content of type "text/html" skipped

Full-Disclosure - We believe in it.
Hosted and sponsored by Secunia -

Powered by blists - more mailing lists