Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Facebook For Android Friend Acceptance

🗓️ 10 Aug 2021 00:00:00Reported by Sivanesh AshokType 
packetstorm
 packetstorm🔗 packetstormsecurity.com👁 291 Views

Facebook Android friend acceptance vulnerability, allows adding friend on locked phon

Code
`Author - Sivanesh Ashok | @sivaneshashok | stazot.com  
  
Date : 2021-08-03  
Vendor : https://facebook.com/  
Version : *  
Tested on : Version 329.0.0.29.120, Android 10  
Last Modified : 2021-08-10  
  
  
--[ Bug Description  
  
Facebook for Android is vulnerable to a permission issue which allows  
anyone with physical access to the Android device, to accept friend  
requests without unlocking the phone. The bug works when the device's lock  
screen notification setting is set to "Show sensitive content when locked".  
The victim user who set "Show sensitive content when locked", would not  
know that the app also allows such sensitive action to be performed when  
locked.  
  
An attacker who has access to the victim's locked phone will be able to add  
the victim as a friend and collect personal information about the victim  
such as email, DoB, check-ins, pictures and other information that the  
victim shared to be visible only to their friends.  
  
  
--[ Steps to reproduce  
  
As the attacker:  
1. Get your hands on the victim's locked phone.  
2. Send friend request to the victim.  
3. See the notification about your friend request on the victim's locked  
phone.  
4. Expand the friend request and touch the Confirm button.  
5. Note that you are now friends with the victim.  
6. Check the information that the victim has shared only with their friends.  
  
  
--[ Proof of Concept  
  
Here is a video PoC of this bug - https://youtu.be/RbBspN-0r-U  
  
  
--[ Responsible Disclosure  
  
I reported the bug to Facebook, and they seem to not consider this a valid  
security, "as the user is in control of their notifications and can prevent  
this kind of scenarios by adjusting their phone's settings". An interesting  
decision, since the user only wants to "Show sensitive content when  
locked", and not "Modify sensitive content when locked". Also, other push  
notifications on Facebook/Messenger/Instagram do not behave the same. So, I  
think it is worth a patch. Wonder if Facebook will consider it a security  
risk if it was possible to accept follow requests to a private Instagram  
account from a locked phone.  
  
  
--[ Contact  
  
Name : Sivanesh Ashok  
Twitter : @sivaneshashok  
Website : https://stazot.com  
  
  
`

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
10 Aug 2021 00:00Current
7.4High risk
Vulners AI Score7.4
facebookandroidvulnerabilityfriend acceptancelocked phonesecurity issue
291