Full Disclosure mailing list archives
Facebook Places private information leak
From: Nathan Whitmore <nathanww () gmail com>
Date: Fri, 1 Oct 2010 14:38:36 -0400
SUMMARY A vulnerability was discovered in Facebook Places that could be exploited to divulge a user's location even if the user has restricted their location information to “only friends” or “only me”, as long as the “make me visible in people here now” option is enabled HISTORY Vulnerability discovered:August 25, 2010 Vulnerability resolved:September 30, 2010(See details below) IMPACT Facebook has addressed the particular proof-of-concept for this vulnerability by enhancing anti-scraping protection and and changing the format in which data for the “people here now” view is transmitted to a requester. However, the presence of this feature at all opens an “analog hole” which means that a similar attack with a more sophisticated scraping system is still theoretically possible. DESCRIPTION The problem occurs because Places did not properly anticipate the consequences of rapid automatic checkins and geolocation spoofing. An automatic “scraper” program could emulate an iPhone web browser, transmit a faked geolocation response, and obtain the list of people at the specified location. By querying each location in a latitude/longitude grid, an attacker could create a database of the locations of all checkins within the grid, and map movement of users by collecting multiple “frames” of data over time This could allow an attacker to: - Stalk a user by creating a database of all checkins within a given area, then querying the database to obtain semi-real-time and historical data on the user's checkins - Identify potential victims for robbery or vandalism by identifying users who are a significant distance from their home(similar to pleaserobme.com ) - Collect aggregate data for sociological or basic demographic research - Compile a database of check-ins in a geographically wide set of “regions of interest”(gambling sites, bars, etc) and determine whether a given person had ever checked in at any of the monitored locations Using this vulnerability, an attacker could not: - Obtain a user's location if they are not visible in “people here now” - Obtain a user's location without them manually checking in - Identify precisely how much time has elapsed since a user checked in at a location(although an estimate can be calculated if multiple “frames” are taken) It is also important to note that while creating a “comprehensive database” of all checkins in all the locations in a large area requires a substantial amount of time, many of these attacks do not require such a database. In scanning for potential robbery victims, for instance, an attacker need not scan an entire city, but merely acquire a list of a substantial number of people who are away from their homes. In addition, any of these attacks would be trivial to parallelize across machines owned by accomplices, or infected by a botnet, by the simple expedient of assigning each machine a specific lat/long range to scan. CREDIT Discovered by Nathan Whitmore -- Any technology distinguishable from magic is insufficiently advanced
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Facebook Places private information leak Nathan Whitmore (Oct 01)