Recently there was an issue with the way Facebook handles the privacy of basic user information. The problem was, that if an individual logged in with the correct email, but incorrect password, a page would be displayed that contained the name, and image of the profile corresponding to the submitted email address. This of course is a bad thing, especially for people who have really locked their Facebook profiles down, and expect the previously mentioned information to remain private.
Unfortunately, after a few minutes of poking around to see if the issue was properly resolved I was able to find an almost identical issue within the core of the Facebook "Friend Finder" feature that allows an attacker to correlate not only email addresses to private profiles, but IM Handles as well. In order to take advantage of this information leak, all an attacker needs to do is follow these simple steps.
1. Navigate to the Facebook "Friend Finder" feature.
2. Click the "Upload Contact File" option in order to access the file upload prompt (Other contact import features work as well. i.e. Import from webmail contacts, and even import IM Contacts).
3. Upload a contact file of ANY of the accepted formats that contains a list of email addresses that you would like to enumerate.
4. If the account is not viewable due to privacy settings then you will be presented with a page like the one shown in the following image. Select the target email(s), and click "Invite to Join.
5. If the email you are targeting DOES have a restricted Facebook profile then an email invite will not be sent, and a page like the following will be visible, which contains a link to the Facebook profile associated with the target email address to be enumerated.
As previously mentioned, the "Friend Finder" feature can also be abused via other vectors as well, to leak user information such as IM Handles (AIM, MSN, ICQ, etc.) as seen in the image below.
Even though these issues that I point out here are new, privacy leaks are nothing new at all to Facebook, and will likely be an issue for the foreseeable future.
UPDATE: Facebook has since corrected these issues. Also, thanks to Blogger for an epic fail, and locking my blog for no reason the day I created this article. I truly appreciate that guys; and it only took you two days to realize you noobed it up, I'm impressed.
Unfortunately, after a few minutes of poking around to see if the issue was properly resolved I was able to find an almost identical issue within the core of the Facebook "Friend Finder" feature that allows an attacker to correlate not only email addresses to private profiles, but IM Handles as well. In order to take advantage of this information leak, all an attacker needs to do is follow these simple steps.
1. Navigate to the Facebook "Friend Finder" feature.
2. Click the "Upload Contact File" option in order to access the file upload prompt (Other contact import features work as well. i.e. Import from webmail contacts, and even import IM Contacts).
3. Upload a contact file of ANY of the accepted formats that contains a list of email addresses that you would like to enumerate.
4. If the account is not viewable due to privacy settings then you will be presented with a page like the one shown in the following image. Select the target email(s), and click "Invite to Join.
5. If the email you are targeting DOES have a restricted Facebook profile then an email invite will not be sent, and a page like the following will be visible, which contains a link to the Facebook profile associated with the target email address to be enumerated.
As previously mentioned, the "Friend Finder" feature can also be abused via other vectors as well, to leak user information such as IM Handles (AIM, MSN, ICQ, etc.) as seen in the image below.
Even though these issues that I point out here are new, privacy leaks are nothing new at all to Facebook, and will likely be an issue for the foreseeable future.
UPDATE: Facebook has since corrected these issues. Also, thanks to Blogger for an epic fail, and locking my blog for no reason the day I created this article. I truly appreciate that guys; and it only took you two days to realize you noobed it up, I'm impressed.
No comments:
Post a Comment