Vulnerabilities / Threats
8/11/2010
01:38 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Privacy Flaw Identified

Despite its struggle to simplify its privacy controls, Facebook still has some work to do.

Facebook's privacy controls offer less privacy than one might expect.

In an e-mail message posted to the Full Disclosure mailing list, Atul Agarwal, a security researcher and CEO of Secfence Technologies, describes how Facebook can be prompted to reveal user names and profile pictures even when user privacy settings have been set to conceal this information.

Agarwal says he discovered the issue when he accidentally entered an incorrect password while trying to log into Facebook.

The site proved to be too helpful, returning a user name and profile picture along with the supplied e-mail address, even though the password was incorrect.

As a result, a malicious user can learn the Facebook user names associated with valid e-mail addresses.

"Facebook users have no control over this, as this works even when you have set all privacy settings properly," wrote Agarwal. "Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies."

Agarwal created a proof of concept script to demonstrate how this flaw -- presenting user information before applying privacy settings -- can be used for data harvesting.

Elaborating on Agarwal's find, another mailing list contributor, Javier Bassi, observed that Facebook's helpfulness goes even further: It will suggest a valid user name, profile picture, and e-mail addresses when supplied an e-mail address that's incorrect but similar to a valid one.

While such automated corrections may be helpful, they can also be misused.

Beyond the privacy failure, the ability to associate real names with e-mail addresses can make phishing attacks more effective. And the ability to generate valid e-mail addresses from random guesses can be used to build spam lists or conduct reconnaissance about users with e-mail accounts from a particular company or domain.

A Facebook spokesperson said the company is investigating the issue.

Update: After this story was filed, a Facebook spokesperson responded with the following statement:

"We have technical systems in place to prevent people’s names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended. We are already working on a fix and expect to remedy the situation shortly. Please note that our Statement of Rights and Responsibilities (http://www.facebook.com/terms.php) dictates who and how public information can be accessed, and we prohibit people from scraping our site."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading Tech Digest, Dec. 19, 2014
Software-defined networking can be a net plus for security. The key: Work with the network team to implement gradually, test as you go, and take the opportunity to overhaul your security strategy.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-8370
Published: 2015-01-29
VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, VMware Fusion 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allow host OS users to gain host OS privileges or cause a denial of service (arbitrary write to a file) by modifying a configuration file.

CVE-2015-0236
Published: 2015-01-29
libvirt before 1.2.12 allow remote authenticated users to obtain the VNC password by using the VIR_DOMAIN_XML_SECURE flag with a crafted (1) snapshot to the virDomainSnapshotGetXMLDesc interface or (2) image to the virDomainSaveImageGetXMLDesc interface.

CVE-2015-1043
Published: 2015-01-29
The Host Guest File System (HGFS) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware Fusion 6.x before 6.0.5 and 7.x before 7.0.1 allows guest OS users to cause a guest OS denial of service via unspecified vectors.

CVE-2015-1044
Published: 2015-01-29
vmware-authd (aka the Authorization process) in VMware Workstation 10.x before 10.0.5, VMware Player 6.x before 6.0.5, and VMware ESXi 5.0 through 5.5 allows attackers to cause a host OS denial of service via unspecified vectors.

CVE-2015-1422
Published: 2015-01-29
Multiple cross-site scripting (XSS) vulnerabilities in Gecko CMS 2.2 and 2.3 allow remote attackers to inject arbitrary web script or HTML via the (1) horder[], (2) jak_catid, (3) jak_content, (4) jak_css, (5) jak_delete_log[], (6) jak_email, (7) jak_extfile, (8) jak_file, (9) jak_hookshow[], (10) j...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
If you’re a security professional, you’ve probably been asked many questions about the December attack on Sony. On Jan. 21 at 1pm eastern, you can join a special, one-hour Dark Reading Radio discussion devoted to the Sony hack and the issues that may arise from it.