Facebook vulnerability discloses friends lists defined as private

The people you may know service has become the recent target of malicious attacks carried out on unsuspecting users. This vulnerability simply discloses a users private friend list to the attacker in the form of suggestions on people you may know. Facebook seems to think this is not a security issue that needs to be addressed i'll let you be the judge of that.

                        Vulnerability Details

To execute the attack, an attacker needs to create a new user on Facebook, and send a friend request to the victim. The victim declining the request is irrelevant. At this point Facebook begins to suggest to the attacker people he may know, with the option of clicking a ‘see all’ button for convenience. The people suggested at this point are the friends of the attacked user to whom the attacker sent a friend request, even when the friends list of the victim is set to private, and the other suggested users also have their friends list private.

                Steps to exploit this vulnerability

1. Create a new Facebook profile preferably with a false identity
2. Choose a target with a private friend list that you want to enumerate
3. Send a friend request to the target
4. Click people you may know or type people you may know into the Facebook search bar
5. The profiles suggested for you to be friends with will be the targets friends.

Cancel the request after you have your information if the user accepts the friend request defriend them. The reason for this is if the target accepts your friend request you will be unable to perform this vulnerability on other targets using your new profile. YOU MUST HAVE A BLANK FRIENDS LIST FOR THIS TO WORK!!

As of today this vulnerability is still considered by Facebook as something that doesn't need to be fixed. So it seems this open hole will be available to abuse until they feel like it's a problem. Once again if you are going to use Facebook keep in mind your friends list you have set as private is not so private after all!

Facebook graph search

Facebook has released "graph search" an advanced algorithm data harvest database. I find this service fascinating as you can explore much more than your local approved friend list. Intro here https://www.facebook.com/help/481453195225441

Try out the new graph search on yourself or anyone for that matter. Type the following in your Facebook search bar without the quotations replacing the required input with your variables "photos facebookname likes" you will also notice this service tailor to your needs as you give it more data to analyze.

Examples of searches used to view public and friend of friend searchable data. Remember the profile does not need to be on your friends list and privacy settings play a major role.

• Videos facebookname likes
• Videos facebookname commented on
• Photos facebookname likes 
• Photos facebookname commented on
• Photos of friends of facebookname
• Recent photos facebookname likes
• Recent photos facebookname commented on
• Places facebookname visited 
• Places facebookname likes
• Places facebookname works at
• People who work with facebookname
• People who work at facebookname
• People who follow facebookname
• Interests liked by facebookname

It is becoming more and more common for a potential employer to use these methods as part of the pre screening application process. Even with your facebook profile set to private likes and commenting on publicly posted images,videos still shows up in a graph search.

                     

Even scarier than an employer your ex could be keeping tabs on you.

                          You could call this the Facebook stalking service. 


The potential uses of this service make it more than valuable for gathering information about anyone on Facebook. Choose your privacy settings well but remember when you interact publicly on Facebook you are doing just that.