Cenzic 232 Patent
Paid Advertising
sla.ckers.org is
ha.ckers sla.cking
Sla.ckers.org
Where you should disclose your vulnerabilities. Go read RFPolicy if you want to do responsible disclosure, and go here for when all else fails. 
Go to Topic: PreviousNext
Go to: Forum ListMessage ListNew TopicSearchLog In
Access any album for any user on Facebook
Posted by: securityninja
Date: March 13, 2009 10:59AM

Hi
everyone,
I was creating a presentation last week covering the security risks and weaknesses of social networking websites and I found a few interesting things. The most interesting flaw I found was the poor control around access to users photo albums on Facebook, not the worlds biggest hack by a long way but still interesting.

I contacted Facebook last Thursday and I never received a response so I felt it was time to post the full details on my blog. I think most Facebook users would know that you can give a public URL to every photo and album you upload so that non Facebook users can view them. I wondered if we could exploit this somehow to allow us to access any users photos and albums without being their friends,
without being in groups with them, have friends who are friends with them etc etc I found out it is possible! All you have to do is perform a search, hover over the “add friend” link, fire up the Burp Suite and sit back and wait for the photos!

I have still received no response from Facebook so I have posted the full details here: http://securityninja.co.uk/blog/?p=198

I acknowledge that this isn't a huge flaw and will not change the world of security but it I thought people would find it interesting.
SN

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: thrill
Date: March 13, 2009 12:03PM

Nice job! Thanks for sharing! :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: Gareth Heyes
Date: March 13, 2009 02:51PM

@securityninja

Nice article but *slaps you round the head* you have phpbb installed, are you crazy? Or are you just that confident?

*Slaps self* round the head for using wordpress.

------------------------------------------------------------------------------------------------------------
"People who say it cannot be done should not interrupt those who are doing it.";
labs : [www.businessinfo.co.uk]
blog : [www.thespanner.co.uk]
Hackvertor : [hackvertor.co.uk]



Edited 1 time(s). Last edit at 03/13/2009 03:18PM by Gareth Heyes.

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: thrill
Date: March 13, 2009 11:55PM

Nice one Gareth.. see, at least you can't slap me round the head since I have a "Secure installation of Joomla".. I should add that the only reason it's secure is because the server is in storage and powered down.. :)

--thrill

---

It is not the degrees you hold, but the mind you possess. - thrill

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: Kyo
Date: March 14, 2009 07:37AM

I'm on the other extreme. I never run foreign code on my server. Ever. (Well, there are extremely rare exceptions, I'll give y'all that.)

Being an adolescent websecurity enthusiast, I am obligated to dismiss everyone elses code as inferior.

But anyway, nice. I hate it so much when you haven't stopped giving a shit yet and contact a site about security holes they found and they
1) don't contact you back at all (hi, apple!)
2) see you as a threat and ban you (but don't fix the hole) (hi, random shitty sites!)
3) take 6 months to contact you back (hi, stumbleupon!)



Edited 1 time(s). Last edit at 03/14/2009 07:37AM by Kyo.

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: securityninja
Date: March 14, 2009 07:59AM

hi guys,

I had been thinking of getting rid of the forum for a while so you gave me the kick I needed ;-)

I think what really frustrated me is that Facebook contacted me very quickly once I posted it on the Full Disclosure mailing list. They have even acknowledged that they received my contact with them and had a ticket open for it yet no one contacted me.

Will sites ever learn to play their part in responsible disclosure?

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: Kyo
Date: March 14, 2009 01:43PM

no.

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: lightos
Date: March 15, 2009 12:42AM

You can also use the FQL (Facebook Query Language) to find the users album id.
Go to hxxp://developers.facebook.com/tools.php?api
Select fql.query under Method and use a query like:
SELECT location, link FROM album WHERE owner=xxxxxxxxxx
SELECT location, link FROM album WHERE owner IN (SELECT uid FROM user WHERE name="Person Name")

Taken from https://foro.elhacker.net/nivel_web/fql_injection-t248423.0.html (Spanish)

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: tx
Date: March 16, 2009 03:16PM

securityninja Wrote:
-------------------------------------------------------
> Will sites ever learn to play their part in
> responsible disclosure?

I'm inclined to agree with Bruce Schneier's comments on Disclosure, namely that the only reason responsible disclosure can work is due to the (implicit) threat of full disclosure. To quote:
Quote

To a software company, vulnerabilities are largely an externality. That is, they affect you—the user—much more than they affect it. A smart vendor treats vulnerabilities less as a software problem, and more as a PR problem. So if we, the user community, want software vendors to patch vulnerabilities, we need to make the PR problem more acute.

-tx @ lowtech-labs.org

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: securityninja
Date: March 18, 2009 09:03AM

hi tx,

I hadn't seen that quote before but I think it hits the nail on the head. I did try to make it a bigger PR issue by contacting a lot of the main stream IT and IT Security news sites but only one got back to me and that took 5 days - by then Facebook had fixed the flaw (details on the fix here: http://securityninja.co.uk/blog/?p=220).

This is my first disclosure where I have been left feeling disappointed, Facebook were difficult to contact and deal with. Even when I had spoken with them they failed to keep up promises to "keep me informed". I only found out they had fixed it because I noticed it on my own profile.

SN

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: d4rw1n
Date: March 31, 2009 10:46AM

Thanks for sharing securityninja! :)

Options: ReplyQuote
Re: Access any album for any user on Facebook
Posted by: securityninja
Date: April 01, 2009 08:21AM

Hi d4rw1n - I'm glad you liked it :-)

Options: ReplyQuote


Sorry, only registered users may post in this forum.