Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Europe Confirms Record €4.1B Penalty Against Google for Android Practices|U.S. CISA adds a Microsoft SharePoint Server flaw to its Known Exploited Vulnerabilities catalog|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|
Advertisement

Ad Placeholder

Full Width × 90

Hacking

Facebook flaw allows the disclosure of Friends List

This POC demonstrates that exploiting a Facebook flaw it is possible the disclosure of Friends List EVEN WHEN HE HAS BLOCKED ACCESS TO VIEW IT This is a Proof of Concept made by BHAVESH NAIK DO YOU WISH TO SEE WHO IS IN YOUR FRIENDS LIST, EVEN WHEN YOUR FRIEND HAS BLOCKED ACCESS TO VIEW HIS […]

Facebook flaw allows the disclosure of Friends List

This POC demonstrates that exploiting a Facebook flaw it is possible the disclosure of Friends List EVEN WHEN HE HAS BLOCKED ACCESS TO VIEW IT

This is a Proof of Concept made by BHAVESH NAIK

DO YOU WISH TO SEE WHO IS IN YOUR FRIENDS LIST, EVEN WHEN YOUR FRIEND HAS BLOCKED ACCESS TO VIEW HIS FRIENDS LIST?

IF YOUR ANSWER IS ‘YES’, THEN READ THE FOLLOWING PROCEDURE TO VIEW YOUR FRIENDS INACCESSIBLE FRIENDS LIST ON FACEBOOK.

It was JULY 17, 2013 when I discovered this little loophole and I submitted the vulnerability to Facebook but then I wasn’t in the ‘Hall of Fame’ and neither did I receive any sort of acknowledgement or recognition.

Well without wasting much time, I will start with the PoC.

Note : Prior to this you should know your friends email address.

The following screenshot is the victims (your friend) privacy setting , it shows that nobody is allowed to see the friends list:

fb1

Now the attack, visit http://facebook.com and select “Forgot your password?”

There you will be prompted to enter the email address. Enter the victims email ID:

fb2

You will see the following page:

fb3

You will be prompted to enter a new email address. Enter any email ID not associated to facebook.

fb4

Press ‘Continue’. You will be asked as to how you want to recover your account.

fb5

Click on ‘Recover your account with help from friends’

fb6

VOILA ! You see the friends list :D

fb7

I was wondering, “What is the use of such privacy setting when it can be bypassed by abuse of other functionality?”.

Status: Unfixed.

Reported: Yes

BHAVESH NAIK