Full Disclosure mailing list archives

Re: Facebook allows disclosure of friends list.

From: Alex <fd () daloo de>
Date: Tue, 06 Aug 2013 16:51:39 +0200



Nice finding, but how do you know the victims email address? 

Am 2013-08-06 05:41, schrieb Bhavesh Naik:

BLOG POST LINK : _HTTP://TECHIELOGIC.WORDPRESS.COM/2013/08/04/FACEBOOKS-FRIENDS-LIST-DISCLOSURE-VULNERABILITY/ [3]_
Affected application: facebook.com
Impact: Access to friends list, by bypassing the privacy settings
Author: Bhavesh Naik

It was JULY 17, 2013 when I discovered this little loophole and I submitted the vulnerability to facebook but then I
wasn't on the 'Hall of Fame' and neither did I receive any sort of recognition, since I was told they are aware of
such scenarios.
Well without wasting much time, I will start with the PoC.
_Note : Prior to this you should know your friends email address._
The following screenshot is the victims (your friend) privacy setting , it shows that nobody is allowed to see the
friends list:
[4]
Now the attack, visit http://facebook.com [5] and select "Forgot your password?"
There you will be prompted to enter the email address. Enter the victims email ID:
[6]
You will see the following page:
[7]
You will be prompted to enter a new email address. Enter any email ID not associated to facebook.
[8]
Press 'Continue'. You will be asked as to how you want to recover your account.
[9]
Click on 'Recover your account with help from friends'
[10]
VOILA ! You see the friends list :D
[11]
I was wondering, "What is the use of such privacy setting when it can be bypassed by abuse of other functionality?".
Status: Unfixed.
Reported: Yes

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1]
Hosted and sponsored by Secunia - http://secunia.com/ [2]




Links:
------
[1] http://lists.grok.org.uk/full-disclosure-charter.html
[2] http://secunia.com/
[3]
http://techielogic.wordpress.com/2013/08/04/facebooks-friends-list-disclosure-vulnerability/
[4] http://techielogic.files.wordpress.com/2013/08/fb1.png
[5] http://facebook.com/
[6] http://techielogic.files.wordpress.com/2013/08/fb2.png
[7] http://techielogic.files.wordpress.com/2013/08/fb3.png
[8] http://techielogic.files.wordpress.com/2013/08/fb4.png
[9] http://techielogic.files.wordpress.com/2013/08/fb51.png
[10] http://techielogic.files.wordpress.com/2013/08/fb6.png
[11] http://techielogic.files.wordpress.com/2013/08/fb7.png

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Current thread:

Facebook allows disclosure of friends list. Bhavesh Naik (Aug 06)
- Re: Facebook allows disclosure of friends list. Alex (Aug 06)
  - Re: Facebook allows disclosure of friends list. Valdis . Kletnieks (Aug 06)
    - Re: Facebook allows disclosure of friends list. adam (Aug 06)
  - Re: Facebook allows disclosure of friends list. David Mah (Aug 06)
    - Re: Facebook allows disclosure of friends list. Alex (Aug 06)
    - Re: Facebook allows disclosure of friends list. adam (Aug 06)
- <Possible follow-ups>
- Re: Facebook allows disclosure of friends list. Bhavesh Naik (Aug 07)
  - Re: Facebook allows disclosure of friends list. Alex (Aug 07)