lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Date: Tue, 10 Aug 2021 12:17:05 +0530
From: Sivanesh Ashok <sivaneshashok@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] Accept Facebook friend requests without unlocking your Android
	[Unpatched]

Author - Sivanesh Ashok | @sivaneshashok | stazot.com

Date          : 2021-08-03
Vendor        : https://facebook.com/
Version       : *
Tested on     : Version 329.0.0.29.120, Android 10
Last Modified : 2021-08-10


--[ Bug Description

Facebook for Android is vulnerable to a permission issue which allows
anyone with physical access to the Android device, to accept friend
requests without unlocking the phone. The bug works when the device's lock
screen notification setting is set to "Show sensitive content when locked".
The victim user who set "Show sensitive content when locked", would not
know that the app also allows such sensitive action to be performed when
locked.

An attacker who has access to the victim's locked phone will be able to add
the victim as a friend and collect personal information about the victim
such as email, DoB, check-ins, pictures and other information that the
victim shared to be visible only to their friends.


--[ Steps to reproduce

As the attacker:
1. Get your hands on the victim's locked phone.
2. Send friend request to the victim.
3. See the notification about your friend request on the victim's locked
phone.
4. Expand the friend request and touch the Confirm button.
5. Note that you are now friends with the victim.
6. Check the information that the victim has shared only with their friends.


--[ Proof of Concept

Here is a video PoC of this bug - https://youtu.be/RbBspN-0r-U


--[ Responsible Disclosure

I reported the bug to Facebook, and they seem to not consider this a valid
security, "as the user is in control of their notifications and can prevent
this kind of scenarios by adjusting their phone's settings". An interesting
decision, since the user only wants to "Show sensitive content when
locked", and not "Modify sensitive content when locked". Also, other push
notifications on Facebook/Messenger/Instagram do not behave the same. So, I
think it is worth a patch. Wonder if Facebook will consider it a security
risk if it was possible to accept follow requests to a private Instagram
account from a locked phone.


--[ Contact

Name    : Sivanesh Ashok
Twitter : @sivaneshashok
Website : https://stazot.com

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists