佚名MYHACK58:62201994269Get the Facebook Marketplace sellers precise location information-vulnerability warning-the black bar safety net
!
This article share it with Facebook Marketplace sales system associated with the user information leakage vulnerability through which the vulnerability can obtain the release of goods the seller’s accurate to the latitude and longitude and zip code and other specific location information. Vulnerability reported to the twists and turns, going through denial again after the IS Facebook receive, final Facebook a reward for$5,000 dollars. The following is the author of the vulnerability discovery to share.
Facebook Marketplace introduction
Facebook Marketplace is Facebook 2016 10 months in the mobile terminal launched a P2P-personal to personal the goods of auction and transaction functions, allowing the user on which the purchase and sale of items.
Click on Facebook at the bottom of the Marketplace button to access, in the interface the user can like the Web Mall as directly to the commodity name, type and price etc. to search for a commodity, the Facebook will be automatically displayed for the user closest to the user side of Facebook the seller and show the seller’s quotation and product information. In find a favorite goods, the user can directly use the Messenger to communicate with the sellers contact. And if you are the seller, you can also directly on the Marketplace, add product, pricing, place and other relevant messages. With a General auction site is different, its built-in location tool can be adjusted, you are viewing the area, or changed to other cities. Currently, Facebook Marketplace services only in certain countries open.
Discover the vulnerability of the reason
Facebook Marketplace on-line, some sellers will in top-selling some of the stolen goods, so I sometimes assist in the investigation of Facebook Marketplace some of the stolen goods, in the analysis which may be associated with the recovery of the technical feasibility of the process, I discovered which the presence of a vulnerability, exploit the vulnerability can be found sellers of some sensitive data, access to which contains the latitude and longitude of the precise location.
So I want to sell the following figure the car is 7000 Euro mountain bike auction sales page analysis of starting, after testing, I found that Facebook Marketplace with location-related data information corresponding to the specific, which is included in the sale of goods the return of advertising, its associated response message is in the JSON format of the content, and this seller of goods location and can through the Facebook Marketplace is set.
! [](/Article/UploadPic/2019-5/20195251515115. png)
For this reason, I feel some doubt, why Facebook Marketplace is presented on the users page of the goods location and very simple? It seems worthwhile to delve into some.
In-depth analysis
So, I log into the Facebook Marketplace application, get this cars 7000 Euro mountain bike, with which the map position of the selection tool to set a random address and see what the reaction of:
!
Oh, see, in the lower right corner, there is a row of small grey word, Facebook Marketplace claimed in order to protect the sellers Privacy, Location information is only approximate location,“the Location is approximate to protect the seller’s privacy”, the Yo is also good.
Okay, exit the Facebook Marketplace to see this in the request packet location data is what, note that in this case I is a non-authorized regular users. In the sales page, I open a Chrome browser network monitoring function, when I clicked on this mountain bike related information, can be in the network packets to see a lot more about the merchandise location information, after viewing I found is the Facebook API – facebook.com/api/graphql in response to leaking some location information, as follows:
! [](/Article/UploadPic/2019-5/20195251515981. png)
Which turned out to contain a product to publish precise location information, latitude and longitude data, City, Country, zip code, as follows:
“location”: {
“latitude”: 54.9942235,
“longitude”: -1.6041244,
“reverse_geocode”: {
“city”: “Newcastle upon Tyne”,
“state”: “England”,
“postal_code”: “”
},
“reverse_geocode_detailed”: {
“city”: “Newcastle upon Tyne”,
“state”: “England”,
“postal_code”: “NE2 2DS”
}
}
Latitude and longitude of that! Oh, enough! Open Google Maps, input the latitude and longitude information to find, of course, it found me in a commodities background to set the specific location!
! [](/Article/UploadPic/2019-5/20195251516887. png)
Since the sellers will rarely go to the deliberate falsification of goods sold actual location, and this is accurate to the meter location and the city and zip code information disclosure, combined with the transaction process relates to the seller’s real name, a malicious attacker or other ulterior motives who can use it to accurately determine the seller’s specific address.
Is this a security vulnerability or problem?
Since the seller must be in the product release process identified a clear-cut personal location information, and the Facebook Marketplace also claimed that it will protect users ’ privacy, will do location and blur of the display to the viewer. Like I set the MTB to the sales location, drag the map to select the circle, Facebook Marketplace indicates that it will only show the approximate location and, of course, very few sellers will deliberately forged such location information.
In addition, when I want to use the Facebook Marketplace to submit some specific precise location, Facebook provides the location or address of the selected items did not some more accurate or more recent position can be selected, even if the enter the complete ZIP code or address.
! [](/Article/UploadPic/2019-5/20195251516504. png)
So, this is a contradiction, then, that even if it is a security issue.