Code & Data Security
Discovered by Irene Abezgauz
VP Product Management, Seeker Research Center leader
Irene Abezgauz from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook. This attack is carried out by abusing the ‘People You May Know’ mechanism on Facebook, which is the mechanism by which Facebook suggests new friends to users.
With attacks being on the rise, Facebook is often targeted by hackers for the information it possesses. Users rely on Facebook to maintain their privacy to the best of Facebook’s ability.
Since this vulnerability renders the privacy control to hide friends lists from other users irrelevant, we hope Facebook will change its mind and this flaw will be addressed.
To execute the attack, an attacker needs to create a new user on Facebook, and send a friend request to the victim. The victim declining the request is irrelevant. At this point Facebook begins to suggest to the attacker people he may know, with the option of clicking a ‘see all’ button for convenience. The people suggested at this point are the friends of the attacked user to whom the attacker sent a friend request, even when the friends list of the victim is set to private, and the other suggested users also have their friends list private.
Step1: AllYourDatazAreBelongToUs, the User with No Friends
To exploit this vulnerability the attacker first needs to create a new user on Facebook. As we see in the screenshot below, this user has no friends or friend suggestions:
Step2: Sending the victim a friend request
We can see that the victim, Irene IreneIrene, has her friends list hidden:
At this point FB suggests: “To see what she shares with friends, send her a friend request.”. The attacker at this point follows the advice.
Step3: See the victim’s friends list as ‘People you may know’ suggestions
At this point the victim does not accept the friends request. She may even not have seen the request as she is not logged into FB at the moment. However, FB starts suggesting to the attacker users who are either friends of the victim or the victim has recently sent them friend requests:
By using the ‘see all’ button the attacker can expand the list to view hundreds of suggestions of users who are friends with the victim.
As part of the research for this vulnerability we wanted to verify the exact conditions under which this was possible. The friends chosen for the victim were users who also had their friends list set to private. In addition, no interactions took place between the users except for the sending of friend requests. This is data which is not publicly available to any user who is not a friend of the victim.
FB responded that:”If you don’t have friends on Facebook and send a friend request to someone who’s chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone’s complete friend list.”
However, research of this issue has shown that most of the friends list, often hundreds of friends, is available to the attacker. In any case, even a partial friends list is a violation of user-chosen privacy controls.
This post is also available in: French