Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Facebook Places private information leak
From: Nathan Whitmore <nathanww () gmail com>
Date: Fri, 1 Oct 2010 14:38:36 -0400


A vulnerability was discovered in Facebook Places that could be exploited to
divulge a user's location even if the user has restricted their location
information to “only friends” or “only me”, as long as the “make me visible
in people here now” option is enabled


Vulnerability discovered:August 25, 2010

Vulnerability resolved:September 30, 2010(See details below)


Facebook has addressed the particular proof-of-concept for this
vulnerability by enhancing anti-scraping protection and and changing the
format in which data for the “people here now” view is transmitted to a
requester. However, the presence of this feature at all opens an “analog
hole” which means that a similar attack with a more sophisticated scraping
system is still theoretically possible.


 The problem occurs because Places did not properly anticipate the
consequences of rapid automatic checkins and geolocation spoofing. An
automatic “scraper” program could emulate an iPhone web browser, transmit a
faked geolocation response, and obtain the list of people at the specified
location. By querying each location in a latitude/longitude grid, an
attacker could create a database of the locations of all checkins within the
grid, and map movement of users by collecting multiple “frames” of data over

 This could allow an attacker to:


   Stalk a user by creating a database of all checkins within a given area,
   then querying the database to obtain semi-real-time and historical data on
   the user's checkins

   Identify potential victims for robbery or vandalism by identifying users
   who are a significant distance from their home(similar to pleaserobme.com

   Collect aggregate data for sociological or basic demographic research

   Compile a database of check-ins in a geographically wide set of “regions
   of interest”(gambling sites, bars, etc) and determine whether a given person
   had ever checked in at any of the monitored locations

Using this vulnerability, an attacker could not:


   Obtain a user's location if they are not visible in “people here now”

   Obtain a user's location without them manually checking in

   Identify precisely how much time has elapsed since a user checked in at a
   location(although an estimate can be calculated if multiple “frames” are

 It is also important to note that while creating a “comprehensive database”
of all checkins in all the locations in a large area requires a substantial
amount of time, many of these attacks do not require such a database. In
scanning for potential robbery victims, for instance, an attacker need not
scan an entire city, but merely acquire a list of a substantial number of
people who are away from their homes.

 In addition, any of these attacks would be trivial to parallelize across
machines owned by accomplices, or infected by a botnet, by the simple
expedient of assigning each machine a specific lat/long range to scan.


Discovered by Nathan Whitmore

Any technology distinguishable from magic is insufficiently advanced
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
  • Facebook Places private information leak Nathan Whitmore (Oct 02)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]