Vulnerabilities / Threats
8/11/2010
01:38 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Privacy Flaw Identified

Despite its struggle to simplify its privacy controls, Facebook still has some work to do.

Facebook's privacy controls offer less privacy than one might expect.

In an e-mail message posted to the Full Disclosure mailing list, Atul Agarwal, a security researcher and CEO of Secfence Technologies, describes how Facebook can be prompted to reveal user names and profile pictures even when user privacy settings have been set to conceal this information.

Agarwal says he discovered the issue when he accidentally entered an incorrect password while trying to log into Facebook.

The site proved to be too helpful, returning a user name and profile picture along with the supplied e-mail address, even though the password was incorrect.

As a result, a malicious user can learn the Facebook user names associated with valid e-mail addresses.

"Facebook users have no control over this, as this works even when you have set all privacy settings properly," wrote Agarwal. "Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies."

Agarwal created a proof of concept script to demonstrate how this flaw -- presenting user information before applying privacy settings -- can be used for data harvesting.

Elaborating on Agarwal's find, another mailing list contributor, Javier Bassi, observed that Facebook's helpfulness goes even further: It will suggest a valid user name, profile picture, and e-mail addresses when supplied an e-mail address that's incorrect but similar to a valid one.

While such automated corrections may be helpful, they can also be misused.

Beyond the privacy failure, the ability to associate real names with e-mail addresses can make phishing attacks more effective. And the ability to generate valid e-mail addresses from random guesses can be used to build spam lists or conduct reconnaissance about users with e-mail accounts from a particular company or domain.

A Facebook spokesperson said the company is investigating the issue.

Update: After this story was filed, a Facebook spokesperson responded with the following statement:

"We have technical systems in place to prevent people’s names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended. We are already working on a fix and expect to remedy the situation shortly. Please note that our Statement of Rights and Responsibilities (http://www.facebook.com/terms.php) dictates who and how public information can be accessed, and we prohibit people from scraping our site."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6501
Published: 2015-03-30
The default soap.wsdl_cache_dir setting in (1) php.ini-production and (2) php.ini-development in PHP through 5.6.7 specifies the /tmp directory, which makes it easier for local users to conduct WSDL injection attacks by creating a file under /tmp with a predictable filename that is used by the get_s...

CVE-2014-9652
Published: 2015-03-30
The mconvert function in softmagic.c in file before 5.21, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not properly handle a certain string-length field during a copy of a truncated version of a Pascal string, which might allow remote atta...

CVE-2014-9653
Published: 2015-03-30
readelf.c in file before 5.22, as used in the Fileinfo component in PHP before 5.4.37, 5.5.x before 5.5.21, and 5.6.x before 5.6.5, does not consider that pread calls sometimes read only a subset of the available data, which allows remote attackers to cause a denial of service (uninitialized memory ...

CVE-2014-9705
Published: 2015-03-30
Heap-based buffer overflow in the enchant_broker_request_dict function in ext/enchant/enchant.c in PHP before 5.4.38, 5.5.x before 5.5.22, and 5.6.x before 5.6.6 allows remote attackers to execute arbitrary code via vectors that trigger creation of multiple dictionaries.

CVE-2014-9709
Published: 2015-03-30
The GetCode_ function in gd_gif_in.c in GD 2.1.1 and earlier, as used in PHP before 5.5.21 and 5.6.x before 5.6.5, allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted GIF image that is improperly handled by the gdImageCreateFromGif function.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.