| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 10 Aug 2021 12:17:05 +0530 From: Sivanesh Ashok <sivaneshashok@...il.com> To: fulldisclosure@...lists.org Subject: [FD] Accept Facebook friend requests without unlocking your Android [Unpatched] Author - Sivanesh Ashok | @sivaneshashok | stazot.com Date : 2021-08-03 Vendor : https://facebook.com/ Version : * Tested on : Version 329.0.0.29.120, Android 10 Last Modified : 2021-08-10 --[ Bug Description Facebook for Android is vulnerable to a permission issue which allows anyone with physical access to the Android device, to accept friend requests without unlocking the phone. The bug works when the device's lock screen notification setting is set to "Show sensitive content when locked". The victim user who set "Show sensitive content when locked", would not know that the app also allows such sensitive action to be performed when locked. An attacker who has access to the victim's locked phone will be able to add the victim as a friend and collect personal information about the victim such as email, DoB, check-ins, pictures and other information that the victim shared to be visible only to their friends. --[ Steps to reproduce As the attacker: 1. Get your hands on the victim's locked phone. 2. Send friend request to the victim. 3. See the notification about your friend request on the victim's locked phone. 4. Expand the friend request and touch the Confirm button. 5. Note that you are now friends with the victim. 6. Check the information that the victim has shared only with their friends. --[ Proof of Concept Here is a video PoC of this bug - https://youtu.be/RbBspN-0r-U --[ Responsible Disclosure I reported the bug to Facebook, and they seem to not consider this a valid security, "as the user is in control of their notifications and can prevent this kind of scenarios by adjusting their phone's settings". An interesting decision, since the user only wants to "Show sensitive content when locked", and not "Modify sensitive content when locked". Also, other push notifications on Facebook/Messenger/Instagram do not behave the same. So, I think it is worth a patch. Wonder if Facebook will consider it a security risk if it was possible to accept follow requests to a private Instagram account from a locked phone. --[ Contact Name : Sivanesh Ashok Twitter : @sivaneshashok Website : https://stazot.com _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists