Facebook Friends private information disclosure

2013-02-09
ID: 75271
CVE: None
Download vulnerable application: None
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

# 
# *Vendor*: www.facebook.com
# Author: Juan Carlos Garca (NightSec) / Javier Garca Garca (NapsTeR-vk)
# Blog: http://hackingmadrid.blogspot.com
# Facebook http://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?sk=app_190322544333196

**********************

BREIF DESCRIPTION

**********************

  The advent of the Web 2.0 has caused social profiling and is a growing concern for internet privacy.[1] Web 2.0 is the system that facilitates participatory information sharing and collaboration on the Internet, in social networking media websites like Facebook and MySpace.[1] These social networking sites have seen a boom in their popularity starting from the late 2000s. Through these websites many people are giving their personal information out on the internet.

These social networks keep track of all interactions used on their sites and save them for later use.[2] Issues include cyberstalking, location disclosure, social profiling, 3rd party personal information disclosure, and government use of social network websites in investigations without the safeguard of a search warrant.

Facebook has been scrutinized for a variety of privacy concerns due to changes in its privacy settings on the site generally over time as well as privacy concerns within Facebook applications. When Facebook first began in 2004, it was focused on universities and only those with .edu address could open an account. Furthermore, only those within your own university network could see your page. Some argue that initial users were much more willing to share private information for these reasons. As time went on, Facebook became more public allowing those outside universities, and furthermore, those without a specific network, to join and see pages of those in networks that were not their own. In 2006 Facebook introduced the News Feed, a feature that would highlight recent friend activity. By 2009, Facebook made more and more information public by default. For example, in December of 2009, Facebook drastically changed its privacy policies, allowing users to see each others lists of friends, even if users had
previously indicated they wanted to keep these lists private. Also, the new settings made photos publicly available by default, often without users knowledge.

**************
**************

Friends Private Information Disclosure

*********************************************

Facebook offers the option to see the friendship between your profile and that of another person, whether that person is not your friend or your friend, but by default anyone should be able to access the relationship between two people who do not know.

You can access anyone existing profile on Facebook and see the friendship between the two people and also being able to "SHARE" and make public their friendship though these people have established in the Facebook privacy settings that this option is not visible.

Apart from this disclosure of private information about the relationships of people who do not know and do not have on your profile, can be used to make jokes among minors, harassment and other acts not legitimate.

**************

Proof Of Concept (PoC)

https://www.facebook.com/usuario1?and=usuario2


User1:RAFAMORATETE  Rafael Mora Celebrities in Spain

User2: ADMIN.CANGREJOS ( I am ...)


https://www.facebook.com/RAFAMORATETE?and=ADMIN.CANGREJOS

User1:RAFAMORATETE ------------------->Rafael Mora Celebrities in Spain

User 2:karmele.marchantebarrobes------>Karmele Marchante Celebrities in Spain and tabloid journalist well known. They hate each other publicly.


https://www.facebook.com/RAFAMORATETE?and=karmele.marchantebarrobes

As you can see we can access the friendship between them, but even more, we can share that friendship even though they have not

Ultimately occurs again on Facebook a security flaw for which a malicious user can see other people's private information, the relationship between them and / or share this relationship can be used by people with no good purpose (The same as Bill Gates and Facebook CEO for example ...)

******************

Give special thanks to all the people who follow me on Ethical Hacking and Ole by the Face .. Thanks guys

******************
1-4-2 (www02)