Re: Facebook allows disclosure of friends list.

[Alex <fd () daloo de>]

Same here, it seems to differ 

a) if phone is registered to facebook (maybe they send a code to it) 

b) if gmail is available 

My testaccount said "it cannot recover my data". Another account went to
the new email window, but had no option to chose the "friends" way. 

But the <username>@facebook.com worked. 

Am 2013-08-06 17:27, schrieb David Mah: 

> Noting that I tried it myself just now had different results, and I'm not sure if this is exploitable as easily as it 
> originally seemed to be. 
>
> At his third image, the one that gives the three options 'google account', 'email', or 'smartphone', I clicked 
> Continue. Instead of the page that he showed, I got a page that sent me straight to gmail to reset my password. Based 
> on his image though, I dropped https://www.facebook.com/recover/extended [3] into the URL and got the interface that 
> he described which let me see my entire friend's list. 
>
> Then I tried to access a friend of mine's account, and got a different interface. There were three links to email 
> providers citing "follow one of the links below to learn how to reset your email password with major email 
> providers", and a "I Cannot Access My Email" button. Clicking that, I got a page at 
> https://www.facebook.com/recover/extended/ineligible [4], which says: 
>
> > "We're sorry you're having trouble recovering your email address. Unfortunately, this means we can't verify who you 
> > are or give you access to the Facebook account you're trying to log into. We may hide the information on your 
> > Facebook account if we detect that you cannot regain access to it"
>
> This was in a private browser session, so no cookies for facebook existed (also in firefox, which I don't normally 
> use anyway). 
>
> My speculation on this is that facebook keeps track of IPs that you commonly log in from. If you are trying to 
> recover your account from one of said IPs, then it will give you an easier account recovery process. 
>
> David 
>
> On Tue, Aug 6, 2013 at 7:51 AM, Alex <fd () daloo de> wrote:
>
> Nice finding, but how do you know the victims email address? 
>
> Am 2013-08-06 05:41, schrieb Bhavesh Naik: 
>
>   
> BLOG POST LINK : _HTTP://TECHIELOGIC.WORDPRESS.COM/2013/08/04/FACEBOOKS-FRIENDS-LIST-DISCLOSURE-VULNERABILITY/ [5]_ 
>   Affected application: facebook.com [6]
> Impact: Access to friends list, by bypassing the privacy settings
> Author: Bhavesh Naik
>
> It was JULY 17, 2013 when I discovered this little loophole and I submitted the vulnerability to facebook but then I 
> wasn't on the 'Hall of Fame' and neither did I receive any sort of recognition, since I was told they are aware of 
> such scenarios. 
> Well without wasting much time, I will start with the PoC. 
> _Note : Prior to this you should know your friends email address._ 
> The following screenshot is the victims (your friend) privacy setting , it shows that nobody is allowed to see the 
> friends list: 
> [7] 
> Now the attack, visit http://facebook.com [8] and select "Forgot your password?" 
> There you will be prompted to enter the email address. Enter the victims email ID: 
> [9] 
> You will see the following page: 
> [10] 
> You will be prompted to enter a new email address. Enter any email ID not associated to facebook. 
> [11] 
> Press 'Continue'. You will be asked as to how you want to recover your account. 
> [12] 
> Click on 'Recover your account with help from friends' 
> [13] 
> VOILA ! You see the friends list :D 
> [14] 
> I was wondering, "What is the use of such privacy setting when it can be bypassed by abuse of other functionality?". 
> Status: Unfixed. 
> Reported: Yes 
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1]
> Hosted and sponsored by Secunia - http://secunia.com/ [2]
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1]
> Hosted and sponsored by Secunia - http://secunia.com/ [2]



Links:
------
[1] http://lists.grok.org.uk/full-disclosure-charter.html
[2] http://secunia.com/
[3] https://www.facebook.com/recover/extended
[4] https://www.facebook.com/recover/extended/ineligible
[5]
http://techielogic.wordpress.com/2013/08/04/facebooks-friends-list-disclosure-vulnerability/
[6] http://facebook.com
[7] http://techielogic.files.wordpress.com/2013/08/fb1.png
[8] http://facebook.com/
[9] http://techielogic.files.wordpress.com/2013/08/fb2.png
[10] http://techielogic.files.wordpress.com/2013/08/fb3.png
[11] http://techielogic.files.wordpress.com/2013/08/fb4.png
[12] http://techielogic.files.wordpress.com/2013/08/fb51.png
[13] http://techielogic.files.wordpress.com/2013/08/fb6.png
[14] http://techielogic.files.wordpress.com/2013/08/fb7.png

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/