
Full Disclosure mailing list archives
Re: Facebook name extraction based on email/wrong password + POC
From: Samuel Martín Moro <faust64 () gmail com>
Date: Thu, 12 Aug 2010 20:53:49 +0200
or they signed up to the list... Samuel Martín Moro {EPITECH.} tek5 CamTrace S.A.S "Nobody wants to say how this works. Maybe nobody knows ..." Xorg.conf(5) On Thu, Aug 12, 2010 at 4:00 PM, Zerial. <fernando () zerial org> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This bug appears in a spanish security news site: http://blog.segu-info.com.ar/2010/08/error-en-facebook-permite-extraer.html probably it was reported by someone cheers On 08/11/10 23:13, werew01f wrote:Don't seems to work on my system. No user name or picture was displayed. On Wed, Aug 11, 2010 at 5:01 PM, Atul Agarwal <atul () secfence com <mailto:atul () secfence com>> wrote: Hello all, Sometime back, I noticed a strange problem with Facebook, I had accidentally entered wrong password in Facebook, and it showed my first and last name with profile picture, along with the password incorrect message. I thought that the fact that it was showing the name had something to do with cookies stored, so I tried other email id's, and it was the same. I wondered over the possibilities, and wrote a POC tool to test it. This script extracts the First and Last Name (provided by the users when they sign up for Facebook). Facebook is kind enough to return the name even if the supplied email/password combination is wrong. Further more,it also gives out the profile picture (this script does not harvest it, but its easy to add that too). Facebook users have no control over this, as this works even when you have set all privacy settings properly. Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies. As Facebook is so popular, some implications - 1) Someone has a list of email address that he has no clue about. He can feed them to Facebook one by one (or in a list, using a script like this) and chances are that he'll get more than 50% hits. Useful for phishing attacks (People will get more convinced when they see their *real* names). 2) One can generate random email addresses, and *verify* their existence . Hint: You can generate emails using (common names + a corporate domain), and check them against Facebook. Might come handy in a Pentest. Rest is only left up to one's imagination. Find the POC script attached. PS: I did not report this, as I am unsure on what to call it, a "bug", "vuln" or a "feature". Thanks, Atul Agarwal Secfence Technologies www.secfence.com <http://www.secfence.com> _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/- -- Zerial Seguridad Informatica Blog: http://blog.zerial.org Skype: erzerial Jabber: zerial () jabberes org GTalk: fernando () zerial org -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkxj/oYACgkQIP17Kywx9JQRwgCfZCloGsZGESiYer3KXJ256Ahv v+gAnjAgODKzFw5/inB+Q4JwULaX1p5P =Rbq1 -----END PGP SIGNATURE----- _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Facebook name extraction based on email/wrong password + POC, (continued)
- Facebook name extraction based on email/wrong password + POC Atul Agarwal (Aug 11)
- Re: Facebook name extraction based on email/wrong password + POC Christian Sciberras (Aug 11)
- Message not available
- Re: Facebook name extraction based on email/wrong password + POC Atul Agarwal (Aug 11)
- Re: Facebook name extraction based on email/wrong password + POC Javier Bassi (Aug 11)
- Re: Facebook name extraction based on email/wrong password + POC Martin Aberastegue (Aug 11)
- Re: Facebook name extraction based on email/wrong password + POC Peter Dawson (Aug 11)
- Re: Facebook name extraction based on email/wrong password + POC Atul Agarwal (Aug 11)
- Facebook name extraction based on email/wrong password + POC Atul Agarwal (Aug 11)
- Re: Facebook name extraction based on email/wrong password + POC Zerial. (Aug 12)
- Re: Facebook name extraction based on email/wrong password + POC ghost (Aug 12)
- Re: Facebook name extraction based on email/wrong password + POC Burhan Çimen (Aug 12)
- Re: Facebook name extraction based on email/wrong password + POC Samuel Martín Moro (Aug 13)