Im not a fan of the new Facebook design – at all. Not simply because it ignores simple design and UI rules but also because it brings a whole host of new bugs and exploits. This is the first and most trivial of the exploits that exist (it possibly also existed before the update but *as far as I can tell* no one else has identified it).
Note: I informed Facebook of this 24hrs ago and recieved no response. I guess they either dont take me seriously (:D) or it is not high on their list of problems. Im releasing it here (having already done so for my Facebook friends earlier) so at least people can be warned to check/change their privacy settings if they feel the need. This is not a hugely dangerous exploit as the acccess is fairly easy to obtain with a few weeks of social engineering (or a bit of luck) – however it does cut that work time down to a few minutes.
The Background
Since new Facebook came out I have been considering several exploits that might have been possible; ranging from the serious (session napping) to the trivial (access to profiles). The new layout has also come with changes ot the back end mechanisms leading to a LOT of exploitable bugs. With the help of a couple of friends and some of their siblings I have managed to exploit and verify a VERY trivial privacy bug.
The idea came originally from attempts to create a “fake” account and gain viewing access to peoples profiles. Since their previous update Facebook has protected your profile from the general populace a lot better. A smaller number of profiles are now viewable to the average user. However there are 2 major flaws in this:
- Most profiles are set, by default, to allow people in the same network(s) as yourself to view the majority of your profile stream. Certainly images/video & their comments.
- Getting access to ANY network is trivial and can be done in under half an hour
The Attack
Creating and verifying a Facebook account simply needs an email (and then a phone number to get rid of annoying captchas here and there). I created a temporary fake account and picked a target: Facebook will generally tell you what network someone is in via the search interface (not that this works for institutions and less so for cities/areas – see limitations) so the next step is to join that network; thereby giving you access to most of the profiles within it.
Initially I believed it would take more longer to achieve this than it did. Facebook have a “soft security” barrier to joining a new network whereby you cannot view profiles till someone *already* within the network confirms you as a friend. I understand the logic behind this and recognise that it seems only the bare minimum of security. However in the 5 days since joining Facebook I have attempted to add 20 “likely” people (i.e. those who I identified as likely to add random friends) from the network I joined and NONE of them have accepted me. It would require an extra level of social engineering, I suspect, to gain access this way (however once done it provides the same access, obviously).
After spending time trying to convince people to accept me I took time to consider other possible ways to become verified as a member of the network. In the end it was absolutely trivial and would probably have occurred to any competent user. Within 5 minutes I had created *another* fake account, joined it to the network and accepted the original fake persona’s friend request. Shortly after that we were BOTH verified as members of the network.
So there it is, trivial: 2 unverified memebers of a network were able to confirm membership.
The initial target for this was a minor UK celebrity (with permission). Within 15 minutes I had access to photos and videos that *really* no one would want on celeb gossip sites. More disturbing was the fact that I had access to similar images and photos of her friends (and the sibling) who were specifically *not* members of the network. This access did seem to be random and to come and go but there was plenty enough content to be going with.
Limitations
This does not work for area networks (i.e. London). Within an area network (which requires NO confirmation) you seem to be able to access a a small number of peoples profiles. I havent quite figured out how that is decided or not (it appears to be random but I am collating some data now).
It also requires the “target” to have set privacy settings that allow people in their network view their profile. However I have tested this 20 times now and in every case around 90% of the profiles tested had extremely lax privacy settings.
How to secure your profile
Well you should post things you wouldnt like people to see on facebook in the first place: but then again lots of people do. In one case (where the target was a friend of mine and allowed me to access) there were pictures of under 18 year olds in near nudity (and not in the sense of wearing revealing clothing). Also a lot of personal information can be accessed, uncovered or (more importantly) intelligently guessed via this method.
This is both a trivial exploit and a trivial fix. All that is needed is some editing of your default security settings via the main privacy page (hover over “settings” at the top right of your Facebook page).
The facebook privacy page
One of the main settings you should look at changing is showing your network in search results (or, even, choosing not to appear in most searches!). This will make gaining access very difficult. Other than that you can edit your Profile privacy settings to remove access to your information by people in your network.
Here is a short video showing the various privacy pages & settings.
Conclusion
I do understand that this seems fairly silly as exploits go: but it allows instant and fairly unadaltered access within minutes. I was able to join *school* networks with ease. I, for example, allow access to most of my Facebook profile because I never post anything on there that I would not (for example) put on twitter. But a lot of people use it for more private communication. This allows us to bypass any of the checks Facebook imposes to make gainign this sort of access difficult – perhaps NOW they will take notice.
I would like to see them not only fix this bug but also look at protecting the profiles of younger members better. People under the age of 16 (and even 18) should have stricter protection set by default. Facebook also need to educate users better and more frequently about how their privacy works and what each setting means.
Please note that all fake accounts have been deleted and owners of any of the tested profiles have been informed. Thanks to Rob, Tim, Kat, M, Toby and Lawrence for willingly allowing access to their profiles (or those of their siblings) via this method.
Next up
I have some more serious exploits to look at next (this time with definite participation) – one of which might lead to session snatching (or at the very least profile manipulation). I hope to have some results within a week 