-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 +------------------------------------------------------------------------------+ | Packet Storm Advisory 2013-0621 | | http://packetstormsecurity.com/ | +------------------------------------------------------------------------------+ | Title: Facebook Information Disclosure | +--------------------+---------------------------------------------------------+ | Release Date | 2013/06/21 | | Advisory Contact | Packet Storm (advisories@packetstormsecurity.com) | | Researcher Credit | Michael Fury | +--------------------+---------------------------------------------------------+ | System Affected | Facebook (www.facebook.com) | | Vendor Patched | 2013/06/16 (based on our testing) | +--------------------+---------------------------------------------------------+ +----------+ | OVERVIEW | +----------+ Facebook suffered from an information disclosure vulnerability. - ----------------------------------------------------------------------------- +---------+ | DETAILS | +---------+ If a user uploaded their contacts to Facebook and then proceeded to download their expanded dataset from the DYI (Download Your Information) section, they would receive a file called addressbook.html in their downloaded archive. The addressbook.html is supposed to house the contact information they uploaded. However, due to a flaw in how Facebook implemented this, it also housed contact information from other uploads other users have performed for the same person, provided they had one piece of matching data. This effectively build large dossiers on users and disclosed their information to anyone that knew at least one piece of matching data. - ----------------------------------------------------------------------------- +------------------+ | PROOF OF CONCEPT | +------------------+ 1. Dan has an account with Facebook and has registered with dan@freemail.xy 2. Alice uploads her contact information to Facebook. In it there is an entry for Dan with phone numbers 408-555-1212, 408-555-3433, and email addresses dan@freemail.xy and dan@datingsite.xy 3. Bob uploads his contact information to Facebook. In it there is an entry for Dan with phone number 408-555-9999 and email addresses dan@freemail.xy and dan@danswork.xy 4. Eve pulls Dan's dan@freemail.xy email address off of his blog, adds it to a vcf file, and uploads it to Facebook. She then downloads her expanded dataset. The addressbook.html file would now contain an entry for Dan with phone numbers 408-555-1212, 408-555-3433, 408-555-9999 and email addresses dan@freemail.xy, dan@datingsite.xy, and dan@danswork.xy. - ----------------------------------------------------------------------------- +-------------+ | REMEDIATION | +-------------+ Facebook quickly reacted and addressed the disclosure issue. Erroneously included data was purged and the broken functionality was fixed. During the entire process, Packet Storm had an open dialog with them and to their credit, they were honest with us and paid the finder an appropriate bug bounty. The one issue not addressed is that Facebook will not give you control over data tied to your account if uploaded by another individual. They claim that your friends own your personally identifiable information when they upload it, not you. However, given that Facebook is mapping this (and even if they have stopped, they clearly have this ability), Packet Storm feels they are not providing adequate controls for users to protect themselves from this sort of disclosure happening again. Please visit the editorial and Facebook links below for additional information. - ----------------------------------------------------------------------------- +---------------+ | RELATED LINKS | +---------------+ Packet Storm Editorial: http://packetstormsecurity.com/news/view/22713/Facebook-Where-Your-Friends-Are-Your-Worst-Enemies.html Facebook Security: http://www.facebook.com/security/notes -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.6 (GNU/Linux) iD8DBQFRxMj9rM7A8W0gTbERAtMeAJ4758eT/34qQh2EFma6y2yZMJt7lQCgsJVG 6lRoqwOnb3AsIlVN9HNkCaM= =lUY2 -----END PGP SIGNATURE-----