Nice finding, but how do you know the victims email address?
Am 2013-08-06 05:41, schrieb Bhavesh Naik: > > BLOG POST LINK : > _HTTP://TECHIELOGIC.WORDPRESS.COM/2013/08/04/FACEBOOKS-FRIENDS-LIST-DISCLOSURE-VULNERABILITY/ > [3]_ > Affected application: facebook.com > Impact: Access to friends list, by bypassing the privacy settings > Author: Bhavesh Naik > > It was JULY 17, 2013 when I discovered this little loophole and I submitted > the vulnerability to facebook but then I wasn't on the 'Hall of Fame' and > neither did I receive any sort of recognition, since I was told they are > aware of such scenarios. > Well without wasting much time, I will start with the PoC. > _Note : Prior to this you should know your friends email address._ > The following screenshot is the victims (your friend) privacy setting , it > shows that nobody is allowed to see the friends list: > [4] > Now the attack, visit http://facebook.com [5] and select "Forgot your > password?" > There you will be prompted to enter the email address. Enter the victims > email ID: > [6] > You will see the following page: > [7] > You will be prompted to enter a new email address. Enter any email ID not > associated to facebook. > [8] > Press 'Continue'. You will be asked as to how you want to recover your > account. > [9] > Click on 'Recover your account with help from friends' > [10] > VOILA ! You see the friends list :D > [11] > I was wondering, "What is the use of such privacy setting when it can be > bypassed by abuse of other functionality?". > Status: Unfixed. > Reported: Yes > > _______________________________________________ > Full-Disclosure - We believe in it. > Charter: http://lists.grok.org.uk/full-disclosure-charter.html [1] > Hosted and sponsored by Secunia - http://secunia.com/ [2] Links: ------ [1] http://lists.grok.org.uk/full-disclosure-charter.html [2] http://secunia.com/ [3] http://techielogic.wordpress.com/2013/08/04/facebooks-friends-list-disclosure-vulnerability/ [4] http://techielogic.files.wordpress.com/2013/08/fb1.png [5] http://facebook.com/ [6] http://techielogic.files.wordpress.com/2013/08/fb2.png [7] http://techielogic.files.wordpress.com/2013/08/fb3.png [8] http://techielogic.files.wordpress.com/2013/08/fb4.png [9] http://techielogic.files.wordpress.com/2013/08/fb51.png [10] http://techielogic.files.wordpress.com/2013/08/fb6.png [11] http://techielogic.files.wordpress.com/2013/08/fb7.png
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
