Full Disclosure mailing list archives
Access any album on any Facebook profile
From: securityninja () securityninja co uk
Date: Thu, 12 Mar 2009 16:36:45 +0000
Hi everyone, I was creating a presentation last week covering the security risks and weaknesses of social networking websites and I found a few interesting things. The most interesting flaw I found was the poor control around access to users photo albums on Facebook, not the worlds biggest hack by a long way but still interesting. I contacted Facebook last Thursday and I never received a response so I felt it was time to post the full details on my blog. I think most Facebook users would know that you can give a public URL to every photo and album you upload so that non Facebook users can view them. I wondered if we could exploit this somehow to allow us to access any users photos and albums without being their friends, without being in groups with them, have friends who are friends with them etc etc I found out it is possible! All you have to do is perform a search, hover over the “add friend” link, fire up the Burp Suite and sit back and wait for the photos!I have still received no response from Facebook so I have posted the full details here: http://securityninja.co.uk/blog/?p=198 [1] I acknowledge that this isn't a huge flaw and will not change the world of security but it I thought people would find it interesting. SN Links: ------ [1] http://securityninja.co.uk/blog/?p=198
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Access any album on any Facebook profile securityninja (Mar 12)