API tools faq
paste
Advertisement
AndrewHaxalot

Facebook Vulnerability Friends List Privacy

AndrewHaxalot
Nov 23rd, 2013
102
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 2.38 KB | None | 0 0
raw download clone embed print report
  1. ###########################
  2.  
  3. # Facebook Vulnerability Discloses Friends Lists Defined as Private
  4.  
  5. ###########################
  6.  
  7. Facebook Vulnerability Discloses Friends Lists Defined as Private
  8. =================================================
  9.  
  10. Researchers from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The
  11. vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing
  12. the 'People You May Know' mechanism on Facebook, which is the mechanism by which Facebook suggests new friends to
  13. users.
  14. With attacks being on the rise, Facebook is often targeted by hackers for the information it possesses. Users rely on
  15. Facebook to maintain their privacy to the best of Facebook's ability.
  16.  
  17. Technical Details
  18. =============
  19. To execute the attack, an attacker needs to create a new user on Facebook, and send a friend request to the victim. The
  20.  
  21. victim declining the request is irrelevant. At this point Facebook begins to suggest to the attacker people he may
  22. know, with the option of clicking a 'see all' button for convenience. The people suggested at this point are the
  23. friends of the user to whom the attacker sent a friend request, even when the friends list of the victim is set to
  24. private, and the other suggested users also have their friends list private.
  25. For full technical information see
  26. www.quotium.com/research/advisories/Facebook_Vulnerability_Discloses_Private_Friends_list.php
  27.  
  28. Vendor Response
  29. ==============
  30. FB responded that:"If you don't have friends on Facebook and send a friend request to someone who's chosen to hide
  31.  
  32. their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs.
  33. But you have no way of knowing if the suggestions you see represent someone's complete friend list." However,
  34. research
  35. of this issue has shown that most of the friends list, often hundreds of friends, is available to the attacker. In any
  36. case, even a partial friends list is a violation of user-chosen privacy controls.
  37. Since this vulnerability renders the privacy control to hide friends lists from other users irrelevant, we hope
  38. Facebook will change its mind and this flaw will be addressed.
  39.  
  40. Credit
  41. =====
  42. Irene Abezgauz, VP Product Management at Quotium and Seeker Research Center leader is credited with the discovery of
  43. this vulnerability.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!