-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


+------------------------------------------------------------------------------+
| Packet Storm Advisory 2013-0621                                              |
| http://packetstormsecurity.com/                                              |
+------------------------------------------------------------------------------+
| Title: Facebook Information Disclosure                                       |
+--------------------+---------------------------------------------------------+
| Release Date       | 2013/06/21                                              |
| Advisory Contact   | Packet Storm (advisories@packetstormsecurity.com)       |
| Researcher Credit  | Michael Fury                                            |
+--------------------+---------------------------------------------------------+
| System Affected    | Facebook (www.facebook.com)                             |
| Vendor Patched     | 2013/06/16 (based on our testing)                       |
+--------------------+---------------------------------------------------------+

+----------+
| OVERVIEW |
+----------+

Facebook suffered from an information disclosure vulnerability.

- -----------------------------------------------------------------------------

+---------+
| DETAILS |
+---------+

If a user uploaded their contacts to Facebook and then proceeded to 
download their expanded dataset from the DYI (Download Your Information) 
section, they would receive a file called addressbook.html in their 
downloaded archive.  The addressbook.html is supposed to house the 
contact information they uploaded. However, due to a flaw in how 
Facebook implemented this, it also housed contact information from 
other uploads other users have performed for the same person, provided 
they had one piece of matching data. This effectively build large dossiers
on users and disclosed their information to anyone that knew at least
one piece of matching data.


- -----------------------------------------------------------------------------

+------------------+
| PROOF OF CONCEPT |
+------------------+

1. Dan has an account with Facebook and has registered with dan@freemail.xy

2. Alice uploads her contact information to Facebook.  In it there is an 
   entry for Dan with phone numbers 408-555-1212, 408-555-3433, and email 
   addresses dan@freemail.xy and dan@datingsite.xy

3. Bob uploads his contact information to Facebook. In it there is an entry 
   for Dan with phone number 408-555-9999 and email addresses dan@freemail.xy 
   and dan@danswork.xy

4. Eve pulls Dan's dan@freemail.xy email address off of his blog, adds it 
   to a vcf file, and uploads it to Facebook.  She then downloads her 
   expanded dataset.  The addressbook.html file would now contain an entry 
   for Dan with phone numbers 408-555-1212, 408-555-3433, 408-555-9999 
   and email addresses dan@freemail.xy, dan@datingsite.xy, and dan@danswork.xy.


- -----------------------------------------------------------------------------

+-------------+
| REMEDIATION | 
+-------------+

Facebook quickly reacted and addressed the disclosure issue.  Erroneously 
included data was purged and the broken functionality was fixed.  During the 
entire process, Packet Storm had an open dialog with them and to their credit, 
they were honest with us and paid the finder an appropriate bug bounty.  

The one issue not addressed is that Facebook will not give you control 
over data tied to your account if uploaded by another individual.  They 
claim that your friends own your personally identifiable information when 
they upload it, not you.  However, given that Facebook is mapping this (and 
even if they have stopped, they clearly have this ability), Packet Storm 
feels they are not providing adequate controls for users to protect themselves 
from this sort of disclosure happening again.  Please visit the editorial 
 and Facebook links below for additional information.

- -----------------------------------------------------------------------------

+---------------+
| RELATED LINKS |
+---------------+

Packet Storm Editorial:
    http://packetstormsecurity.com/news/view/22713/Facebook-Where-Your-Friends-Are-Your-Worst-Enemies.html

Facebook Security:
	http://www.facebook.com/security/notes 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)

iD8DBQFRxMj9rM7A8W0gTbERAtMeAJ4758eT/34qQh2EFma6y2yZMJt7lQCgsJVG
6lRoqwOnb3AsIlVN9HNkCaM=
=lUY2
-----END PGP SIGNATURE-----