Congrats, it is a nice finding and POC... On a Turkish article it says Facebook patched this bug.
http://www.turk.internet.com/portal/yazigoster.php?yaziid=29003 Burhan CIMEN IS Auditor On Thu, Aug 12, 2010 at 11:17 PM, ghost <[email protected]> wrote: > The great thing about these threads is you can killfile anybody in > them and know you'll never miss anything useful. > > Please keep it going. > > > > On Thu, Aug 12, 2010 at 7:00 AM, Zerial. <[email protected]> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA1 > > > > This bug appears in a spanish security news site: > > > > > > > http://blog.segu-info.com.ar/2010/08/error-en-facebook-permite-extraer.html > > > > probably it was reported by someone > > > > cheers > > > > > > > > > > > > > > On 08/11/10 23:13, werew01f wrote: > >> Don't seems to work on my system. No user name or picture was displayed. > >> > >> > >> On Wed, Aug 11, 2010 at 5:01 PM, Atul Agarwal <[email protected] > >> <mailto:[email protected]>> wrote: > >> > >> Hello all, > >> > >> Sometime back, I noticed a strange problem with Facebook, I had > >> accidentally entered wrong password in Facebook, and it showed my > >> first and last name with profile picture, along with the password > >> incorrect message. I thought that the fact that it was showing the > >> name had something to do with cookies stored, so I tried other email > >> id's, and it was the same. I wondered over the possibilities, and > >> wrote a POC tool to test it. > >> > >> This script extracts the First and Last Name (provided by the users > >> when they sign up for Facebook). Facebook is kind enough to return > >> the name even if the supplied email/password combination is wrong. > >> Further more,it also gives out the profile picture (this script does > >> not harvest it, but its easy to add that too). Facebook users have > >> no control over this, as this works even when you have set all > >> privacy settings properly. Harvesting this data is very easy, as it > >> can be easily bypassed by using a bunch of proxies. > >> > >> As Facebook is so popular, some implications - > >> > >> 1) Someone has a list of email address that he has no clue about. He > >> can feed them to Facebook one by one (or in a list, using a script > >> like this) and chances are that he'll get more than 50% hits. Useful > >> for phishing attacks (People will get more convinced when they see > >> their *real* names). > >> > >> 2) One can generate random email addresses, and *verify* their > >> existence . Hint: You can generate emails using (common names + a > >> corporate domain), and check them against Facebook. Might come handy > >> in a Pentest. > >> > >> Rest is only left up to one's imagination. > >> > >> Find the POC script attached. > >> > >> PS: I did not report this, as I am unsure on what to call it, a > >> "bug", "vuln" or a "feature". > >> > >> Thanks, > >> Atul Agarwal > >> Secfence Technologies > >> www.secfence.com <http://www.secfence.com> > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > >> > >> > >> > >> > >> _______________________________________________ > >> Full-Disclosure - We believe in it. > >> Charter: http://lists.grok.org.uk/full-disclosure-charter.html > >> Hosted and sponsored by Secunia - http://secunia.com/ > > > > > > - -- > > Zerial > > Seguridad Informatica > > Blog: http://blog.zerial.org > > Skype: erzerial > > Jabber: [email protected] > > GTalk: [email protected] > > > > -----BEGIN PGP SIGNATURE----- > > Version: GnuPG v1.4.10 (GNU/Linux) > > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > > > iEYEARECAAYFAkxj/oYACgkQIP17Kywx9JQRwgCfZCloGsZGESiYer3KXJ256Ahv > > v+gAnjAgODKzFw5/inB+Q4JwULaX1p5P > > =Rbq1 > > -----END PGP SIGNATURE----- > > > > _______________________________________________ > > Full-Disclosure - We believe in it. > > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > > Hosted and sponsored by Secunia - http://secunia.com/ > > > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html > Hosted and sponsored by Secunia - http://secunia.com/ >
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
