Vulnerabilities / Threats
8/11/2010
01:38 PM
Connect Directly
LinkedIn
Twitter
Google+
RSS
E-Mail
50%
50%

Facebook Privacy Flaw Identified

Despite its struggle to simplify its privacy controls, Facebook still has some work to do.

Facebook's privacy controls offer less privacy than one might expect.

In an e-mail message posted to the Full Disclosure mailing list, Atul Agarwal, a security researcher and CEO of Secfence Technologies, describes how Facebook can be prompted to reveal user names and profile pictures even when user privacy settings have been set to conceal this information.

Agarwal says he discovered the issue when he accidentally entered an incorrect password while trying to log into Facebook.

The site proved to be too helpful, returning a user name and profile picture along with the supplied e-mail address, even though the password was incorrect.

As a result, a malicious user can learn the Facebook user names associated with valid e-mail addresses.

"Facebook users have no control over this, as this works even when you have set all privacy settings properly," wrote Agarwal. "Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies."

Agarwal created a proof of concept script to demonstrate how this flaw -- presenting user information before applying privacy settings -- can be used for data harvesting.

Elaborating on Agarwal's find, another mailing list contributor, Javier Bassi, observed that Facebook's helpfulness goes even further: It will suggest a valid user name, profile picture, and e-mail addresses when supplied an e-mail address that's incorrect but similar to a valid one.

While such automated corrections may be helpful, they can also be misused.

Beyond the privacy failure, the ability to associate real names with e-mail addresses can make phishing attacks more effective. And the ability to generate valid e-mail addresses from random guesses can be used to build spam lists or conduct reconnaissance about users with e-mail accounts from a particular company or domain.

A Facebook spokesperson said the company is investigating the issue.

Update: After this story was filed, a Facebook spokesperson responded with the following statement:

"We have technical systems in place to prevent people’s names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended. We are already working on a fix and expect to remedy the situation shortly. Please note that our Statement of Rights and Responsibilities (http://www.facebook.com/terms.php) dictates who and how public information can be accessed, and we prohibit people from scraping our site."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-6090
Published: 2015-04-27
Multiple cross-site request forgery (CSRF) vulnerabilities in the (1) DataMappingEditorCommands, (2) DatastoreEditorCommands, and (3) IEGEditorCommands servlets in IBM Curam Social Program Management (SPM) 5.2 SP6 before EP6, 6.0 SP2 before EP26, 6.0.3 before 6.0.3.0 iFix8, 6.0.4 before 6.0.4.5 iFix...

CVE-2014-6092
Published: 2015-04-27
IBM Curam Social Program Management (SPM) 5.2 before SP6 EP6, 6.0 SP2 before EP26, 6.0.4 before 6.0.4.6, and 6.0.5 before 6.0.5.6 requires failed-login handling for web-service accounts to have the same lockout policy as for standard user accounts, which makes it easier for remote attackers to cause...

CVE-2015-0113
Published: 2015-04-27
The Jazz help system in IBM Rational Collaborative Lifecycle Management 4.0 through 5.0.2, Rational Quality Manager 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Team Concert 4.0 through 4.0.7 and 5.0 through 5.0.2, Rational Requirements Composer 4.0 through 4.0.7, Rational DOORS Next Generation...

CVE-2015-0176
Published: 2015-04-27
Cross-site scripting (XSS) vulnerability in MQ XR WebSockets Listener in WMQ Telemetry in IBM WebSphere MQ 8.0 before 8.0.0.2 allows remote attackers to inject arbitrary web script or HTML via a crafted URI that is included in an error response.

CVE-2015-1886
Published: 2015-04-27
The Remote Document Conversion Service (DCS) in IBM WebSphere Portal 6.1.0 through 6.1.0.6 CF27, 6.1.5 through 6.1.5.3 CF27, 7.0.0 through 7.0.0.2 CF29, 8.0.0 before 8.0.0.1 CF16, and 8.5.0 through CF05 allows remote attackers to cause a denial of service (memory consumption) via crafted requests.

Dark Reading Radio
Archived Dark Reading Radio
Join security and risk expert John Pironti and Dark Reading Editor-in-Chief Tim Wilson for a live online discussion of the sea-changing shift in security strategy and the many ways it is affecting IT and business.