Tuesday, December 23, 2014

Posted by Paulos Yibelo
No comments | 11:20 AM

Been a while since I posted any of my findings. so, just decide to share a recently patched issue in Facebook.

In the news: http://magazine.vulnerability-db.com/?q=articles/2014/12/23/facebook-social-network-privacy-issue-disclosed-bug-bounty-program-whitehat

So, this issue is kind of an expected behavior, the idea is while converting an account to a page, Facebook never removes data like Friends list and Messages (incase the user want their page get back to a normal account). you know what that means, it practically states we always will remain friends with the people who were friends with us in the conversion process.

Thus, we will be able to see their posts stating "friends" privacy setting by navigating to their page, even though our account is a page and can't be friends with anyone.

Facebook fixed this immediately by removing friend list (or putting it inside a separate backup table), but then the fix created a new issue

when they remove the friend-list, they didn't remove the serialized list of Friends of Friends. I admit, "Friends of Friends" is exactly like "Public" considering the recursion to one another. but still, this called this,

"Say for example I was friends with account  "X"  before my account was a page, say "Y" is friends with X but Y isn't my friend. (which makes "Y" my "Friend of Friends").

Now I change my account to a page, which essentially means X to be my friend (the fix stopped that), But not "Y". So, when Y shares something with the privacy setting "Friends of Friends", I shall be able to see his shares just because "X" was my friend in the conversion process so "Y" is my "Friend of Friends".

Got a generous bounty and great co-operation from Facebook Security.

2014-10-31: Notification
2014-11-01: Response (Facebook Security Team - Bug Bounty Program)
2014-11-13: Vendor Fix/Patch (Facebook Developer Team)
2014-11-15: Second Report
2014-12-13: Vendor Fix/Patch (Facebook Developer Team - Bug Bounty: ****$)  


Post a Comment