Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Packet Storm Advisory 2013-0621 - Facebook Information Disclosure

🗓️ 21 Jun 2013 00:00:00Reported by Todd J.Type 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 21 Views

Packet Storm Advisory 2013-0621 - Facebook Information Disclosure. Facebook suffered from an information disclosure vulnerability related to the DYI section, allowing the disclosure of contact information from multiple uploads of the same person, leading to user information disclosure

Code
`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
  
+------------------------------------------------------------------------------+  
| Packet Storm Advisory 2013-0621 |  
| http://packetstormsecurity.com/ |  
+------------------------------------------------------------------------------+  
| Title: Facebook Information Disclosure |  
+--------------------+---------------------------------------------------------+  
| Release Date | 2013/06/21 |  
| Advisory Contact | Packet Storm ([email protected]) |  
| Researcher Credit | Michael Fury |  
+--------------------+---------------------------------------------------------+  
| System Affected | Facebook (www.facebook.com) |  
| Vendor Patched | 2013/06/16 (based on our testing) |  
+--------------------+---------------------------------------------------------+  
  
+----------+  
| OVERVIEW |  
+----------+  
  
Facebook suffered from an information disclosure vulnerability.  
  
- -----------------------------------------------------------------------------  
  
+---------+  
| DETAILS |  
+---------+  
  
If a user uploaded their contacts to Facebook and then proceeded to   
download their expanded dataset from the DYI (Download Your Information)   
section, they would receive a file called addressbook.html in their   
downloaded archive. The addressbook.html is supposed to house the   
contact information they uploaded. However, due to a flaw in how   
Facebook implemented this, it also housed contact information from   
other uploads other users have performed for the same person, provided   
they had one piece of matching data. This effectively build large dossiers  
on users and disclosed their information to anyone that knew at least  
one piece of matching data.  
  
  
- -----------------------------------------------------------------------------  
  
+------------------+  
| PROOF OF CONCEPT |  
+------------------+  
  
1. Dan has an account with Facebook and has registered with [email protected]  
  
2. Alice uploads her contact information to Facebook. In it there is an   
entry for Dan with phone numbers 408-555-1212, 408-555-3433, and email   
addresses [email protected] and [email protected]  
  
3. Bob uploads his contact information to Facebook. In it there is an entry   
for Dan with phone number 408-555-9999 and email addresses [email protected]   
and [email protected]  
  
4. Eve pulls Dan's [email protected] email address off of his blog, adds it   
to a vcf file, and uploads it to Facebook. She then downloads her   
expanded dataset. The addressbook.html file would now contain an entry   
for Dan with phone numbers 408-555-1212, 408-555-3433, 408-555-9999   
and email addresses [email protected], [email protected], and [email protected].  
  
  
- -----------------------------------------------------------------------------  
  
+-------------+  
| REMEDIATION |   
+-------------+  
  
Facebook quickly reacted and addressed the disclosure issue. Erroneously   
included data was purged and the broken functionality was fixed. During the   
entire process, Packet Storm had an open dialog with them and to their credit,   
they were honest with us and paid the finder an appropriate bug bounty.   
  
The one issue not addressed is that Facebook will not give you control   
over data tied to your account if uploaded by another individual. They   
claim that your friends own your personally identifiable information when   
they upload it, not you. However, given that Facebook is mapping this (and   
even if they have stopped, they clearly have this ability), Packet Storm   
feels they are not providing adequate controls for users to protect themselves   
from this sort of disclosure happening again. Please visit the editorial   
and Facebook links below for additional information.  
  
- -----------------------------------------------------------------------------  
  
+---------------+  
| RELATED LINKS |  
+---------------+  
  
Packet Storm Editorial:  
http://packetstormsecurity.com/news/view/22713/Facebook-Where-Your-Friends-Are-Your-Worst-Enemies.html  
  
Facebook Security:  
http://www.facebook.com/security/notes   
  
  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.6 (GNU/Linux)  
  
iD8DBQFRxMj9rM7A8W0gTbERAtMeAJ4758eT/34qQh2EFma6y2yZMJt7lQCgsJVG  
6lRoqwOnb3AsIlVN9HNkCaM=  
=lUY2  
-----END PGP SIGNATURE-----  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
21 Jun 2013 00:00Current
7.4High risk
Vulners AI Score7.4
facebookinformation disclosurevulnerabilitycontact informationdata purgebug bounty
21