-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
+------------------------------------------------------------------------------+
| Packet Storm Advisory 2013-0621 |
| http://packetstormsecurity.com/ |
+------------------------------------------------------------------------------+
| Title: Facebook Information Disclosure |
+--------------------+---------------------------------------------------------+
| Release Date | 2013/06/21 |
| Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) |
| Researcher Credit | Michael Fury |
+--------------------+---------------------------------------------------------+
| System Affected | Facebook (www.facebook.com) |
| Vendor Patched | 2013/06/16 (based on our testing) |
+--------------------+---------------------------------------------------------+
+----------+
| OVERVIEW |
+----------+
Facebook suffered from an information disclosure vulnerability.
- -----------------------------------------------------------------------------
+---------+
| DETAILS |
+---------+
If a user uploaded their contacts to Facebook and then proceeded to
download their expanded dataset from the DYI (Download Your Information)
section, they would receive a file called addressbook.html in their
downloaded archive. The addressbook.html is supposed to house the
contact information they uploaded. However, due to a flaw in how
Facebook implemented this, it also housed contact information from
other uploads other users have performed for the same person, provided
they had one piece of matching data. This effectively build large dossiers
on users and disclosed their information to anyone that knew at least
one piece of matching data.
- -----------------------------------------------------------------------------
+------------------+
| PROOF OF CONCEPT |
+------------------+
1. Dan has an account with Facebook and has registered with dan@freemail.xy
2. Alice uploads her contact information to Facebook. In it there is an
entry for Dan with phone numbers 408-555-1212, 408-555-3433, and email
addresses dan@freemail.xy and dan@datingsite.xy
3. Bob uploads his contact information to Facebook. In it there is an entry
for Dan with phone number 408-555-9999 and email addresses dan@freemail.xy
and dan@danswork.xy
4. Eve pulls Dan's dan@freemail.xy email address off of his blog, adds it
to a vcf file, and uploads it to Facebook. She then downloads her
expanded dataset. The addressbook.html file would now contain an entry
for Dan with phone numbers 408-555-1212, 408-555-3433, 408-555-9999
and email addresses dan@freemail.xy, dan@datingsite.xy, and dan@danswork.xy.
- -----------------------------------------------------------------------------
+-------------+
| REMEDIATION |
+-------------+
Facebook quickly reacted and addressed the disclosure issue. Erroneously
included data was purged and the broken functionality was fixed. During the
entire process, Packet Storm had an open dialog with them and to their credit,
they were honest with us and paid the finder an appropriate bug bounty.
The one issue not addressed is that Facebook will not give you control
over data tied to your account if uploaded by another individual. They
claim that your friends own your personally identifiable information when
they upload it, not you. However, given that Facebook is mapping this (and
even if they have stopped, they clearly have this ability), Packet Storm
feels they are not providing adequate controls for users to protect themselves
from this sort of disclosure happening again. Please visit the editorial
and Facebook links below for additional information.
- -----------------------------------------------------------------------------
+---------------+
| RELATED LINKS |
+---------------+
Packet Storm Editorial:
http://packetstormsecurity.com/news/view/22713/Facebook-Where-Your-Friends-Are-Your-Worst-Enemies.html
Facebook Security:
http://www.facebook.com/security/notes
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
iD8DBQFRxMj9rM7A8W0gTbERAtMeAJ4758eT/34qQh2EFma6y2yZMJt7lQCgsJVG
6lRoqwOnb3AsIlVN9HNkCaM=
=lUY2
-----END PGP SIGNATURE-----