Facebook “flaw” discloses users’ private friends list
Posted on 26 November 2013.
A recently unearthed potential Facebook security vulnerability can turn out to be a boon for stalkers or social engineers trying to get their friendship request accepted by a target and use that access to wreak damage or gather crucial information.

The “flaw” was discovered by Irene Abezgauz, vice president of product management at security software company Quotium. She noticed that despite having set privacy settings to hide the list of her Facebook friends from everybody, anyone who created an account and sent her a friend request could peruse said list as it’s shown via the “People You May Know” feature.

The feature also has the option “Show All” if the initial list is not helpful enough. In the end, it doesn’t matter if the user accepts the friend request or not - the potential attacker has garnered knowledge of the people the target associates with.

Social engineers looking for ways to get to know sensitive information about potential targets, but whose friend request hasn’t been accepted, can now try their luck with the target's friends. Once they have built a respectable amount of mutual friends, they might get direct access to the target who will finally decide to “friend” them.

Stalkers could be another problem. Let’s say you’re the victim of one, but you still want to use Facebook to keep in touch with your friends and family. You’ve been cautious enough to delete the account with your real name and set up a new one with a fake one, and you have “friended” a small number of people who you are close to.

They know your situation and have agreed to change their settings so that their friends list is visible only to them, lest the stalker deduces your real identity and begins to try to find a way to get you to accept a friend request (from a fake account name, obviously) in order to continue abusing you online.

Unfortunately, the privacy setting offers no real protection, as this “flaw” shows the list anyway.

“As part of the research for this vulnerability we wanted to verify the exact conditions under which this was possible,” shared Abezgauz. “The friends chosen for the victim were users who also had their friends list set to private. In addition, no interactions took place between the users except for the sending of friend requests.”

The result was the same - the list was visible.

Abezgauz and her team of researchers contacted Facebook to point out the flaw, but the social network responded by saying that ”if you don't have friends on Facebook and send a friend request to someone who's chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone's complete friend list.”

But, if you chose that no one should see your friend list (Activity Log > Friends > Who can see your friend list? > Only Me), even this partial list is a violation of your chosen privacy controls, says Abezgauz.









Spotlight

Android Fake ID bug allows malware to impersonate trusted apps

Posted on 29 July 2014.  |  Bluebox Security researchers unearthed a critical Android vulnerability which can be used by malicious applications to impersonate specially recognized trusted apps - and get all the privileges they have - without the user being none the wiser.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Tue, Jul 29th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //