Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Facebook name extraction based on email/wrong password + POC

From: ghost <ghosts () gmail com>
Date: Thu, 12 Aug 2010 13:17:34 -0700
The great thing about these threads is you can killfile anybody in
them and know you'll never miss anything useful.

Please keep it going.



On Thu, Aug 12, 2010 at 7:00 AM, Zerial. <fernando () zerial org> wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

This bug appears in a spanish security news site:


http://blog.segu-info.com.ar/2010/08/error-en-facebook-permite-extraer.html

probably it was reported by someone

cheers






On 08/11/10 23:13, werew01f wrote:

Don't seems to work on my system. No user name or picture was displayed.


On Wed, Aug 11, 2010 at 5:01 PM, Atul Agarwal <atul () secfence com
<mailto:atul () secfence com>> wrote:

    Hello all,

    Sometime back, I noticed a strange problem with Facebook, I had
    accidentally entered wrong password in Facebook, and it showed my
    first and last name with profile picture, along with the password
    incorrect message. I thought that the fact that it was showing the
    name had something to do with cookies stored, so I tried other email
    id's, and it was the same. I wondered over the possibilities, and
    wrote a POC tool to test it.

    This script extracts the First and Last Name (provided by the users
    when they sign up for Facebook). Facebook is kind enough to return
    the name even if the supplied email/password combination is wrong.
    Further more,it also gives out the profile picture (this script does
    not harvest it, but its easy to add that too). Facebook users have
    no control over this, as this works even when you have set all
    privacy settings properly. Harvesting this data is very easy, as it
    can be easily bypassed by using a bunch of proxies.

    As Facebook is so popular, some implications -

    1) Someone has a list of email address that he has no clue about. He
    can feed them to Facebook one by one (or in a list, using a script
    like this) and chances are that he'll get more than 50% hits. Useful
    for phishing attacks (People will get more convinced when they see
    their *real* names).

    2) One can generate random email addresses, and *verify* their
    existence . Hint: You can generate emails using (common names + a
    corporate domain), and check them against Facebook. Might come handy
    in a Pentest.

    Rest is only left up to one's imagination.

    Find the POC script attached.

    PS: I did not report this, as I am unsure on what to call it, a
    "bug", "vuln" or a "feature".

    Thanks,
    Atul Agarwal
    Secfence Technologies
    www.secfence.com <http://www.secfence.com>

    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.grok.org.uk/full-disclosure-charter.html
    Hosted and sponsored by Secunia - http://secunia.com/




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



- --
Zerial
Seguridad Informatica
Blog: http://blog.zerial.org
Skype: erzerial
Jabber: zerial () jabberes org
GTalk: fernando () zerial org

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAkxj/oYACgkQIP17Kywx9JQRwgCfZCloGsZGESiYer3KXJ256Ahv
v+gAnjAgODKzFw5/inB+Q4JwULaX1p5P
=Rbq1
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: