Vulnerabilities / Threats
8/11/2010
01:38 PM
Connect Directly
Google+
LinkedIn
Twitter
RSS
E-Mail
50%
50%

Facebook Privacy Flaw Identified

Despite its struggle to simplify its privacy controls, Facebook still has some work to do.

Facebook's privacy controls offer less privacy than one might expect.

In an e-mail message posted to the Full Disclosure mailing list, Atul Agarwal, a security researcher and CEO of Secfence Technologies, describes how Facebook can be prompted to reveal user names and profile pictures even when user privacy settings have been set to conceal this information.

Agarwal says he discovered the issue when he accidentally entered an incorrect password while trying to log into Facebook.

The site proved to be too helpful, returning a user name and profile picture along with the supplied e-mail address, even though the password was incorrect.

As a result, a malicious user can learn the Facebook user names associated with valid e-mail addresses.

"Facebook users have no control over this, as this works even when you have set all privacy settings properly," wrote Agarwal. "Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies."

Agarwal created a proof of concept script to demonstrate how this flaw -- presenting user information before applying privacy settings -- can be used for data harvesting.

Elaborating on Agarwal's find, another mailing list contributor, Javier Bassi, observed that Facebook's helpfulness goes even further: It will suggest a valid user name, profile picture, and e-mail addresses when supplied an e-mail address that's incorrect but similar to a valid one.

While such automated corrections may be helpful, they can also be misused.

Beyond the privacy failure, the ability to associate real names with e-mail addresses can make phishing attacks more effective. And the ability to generate valid e-mail addresses from random guesses can be used to build spam lists or conduct reconnaissance about users with e-mail accounts from a particular company or domain.

A Facebook spokesperson said the company is investigating the issue.

Update: After this story was filed, a Facebook spokesperson responded with the following statement:

"We have technical systems in place to prevent people’s names and photos from showing to unrelated users upon login, but a recently introduced bug temporarily prevented these from working as intended. We are already working on a fix and expect to remedy the situation shortly. Please note that our Statement of Rights and Responsibilities (http://www.facebook.com/terms.php) dictates who and how public information can be accessed, and we prohibit people from scraping our site."

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-0598
Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

CVE-2015-0607
Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

CVE-2015-0657
Published: 2015-03-05
Cisco IOS XR allows remote attackers to cause a denial of service (RSVP process reload) via a malformed RSVP packet, aka Bug ID CSCur69192.

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.