Facebook Confirms Data Breach and Massive Vulnerability

rated by 0 users
This post has 7 Replies | 1 Follower

Top 10 Contributor
Posts 25,891
Points 1,173,790
Joined: Sep 2007
ForumsAdministrator
News Posted: Thu, Oct 11 2012 9:00 AM
A self-proclaimed security enthusiast has exposed a major flaw in Facebook, one in which nearly every user's phone number can be used to view their personal information. His name is Suriya Prakash, and his method of cultivating numbers involves using Facebook's mobile site to bypass security limits imposed on the social networking site's regular portal, or so he claims. Here's how he explains it.

"About a month ago I was just browsing Facebook on my Facebook mobile application and it had an option called 'Find friends using contacts' -- what it does is that it compares the contact list from your phone to the Facebook database to see if you have any friends that are in your contacts but not on your Facebook account," Prakash told The Next Web. "I also later figured out that simply 'searching' a person's phone number (including country code) will show you their account."

Facebook Eyeballs

Using Prakash's method, a person could search a random phone number to view someone's full profile, and it works nearly every time since, according to Prakash, Facebook's privacy settings are confusing so most people haven't adequately protected themselves. That in and of itself isn't too egregious, but the fact that Prakash claimed he was able to write a script to cultivate a massive phone book of everyone who lets you look them up on Facebook is the scary part.

The script he wrote saved user names from a range of generated phone numbers. Facebook protects users from this behavior on its site by limiting the number of times you can initiate a search, but Prakash claims he performed an end-around by running the script on Facebook's mobile site, where he says it worked like a charm for four days straight. Facebook eventually caught on.

"Facebook has developed an extensive system for preventing the malicious usage of our search functionality and the scenario described by the researcher was indeed rate-limited and eventually blocked," a Facebook spokesperson explained. "We are constantly updating these systems to improve their effectiveness and address new kinds of attacks."

Prakash acknowledges that Facebook eventually blocked his script, but not before he was able to cultivate hundreds thousands of phone numbers. He also says he alerted Facebook about the vulnerability, but was ignored until his proof-of-concept started to receive media attention.
  • | Post Points: 80
Not Ranked
Posts 84
Points 775
Joined: Nov 2009
timaeus replied on Thu, Oct 11 2012 9:25 AM

"...he says it worked like a charm for four days straight... Facebook eventually blocked his script, but not before he was able to cultivate hundreds of phone numbers."

Hundreds of phone numbers in four days? That's not nearly as bad as the article seems to imply. I was thinking on the order of thousands or tens-of-thousands. So he was using a crude, brute-force method, which Facebook detected, and has since blocked. Cool.

  • | Post Points: 20
Top 25 Contributor
Posts 3,544
Points 54,480
Joined: Jul 2004
Location: United States, Massachusetts
ForumsAdministrator
MembershipAdministrator
Dave_HH replied on Thu, Oct 11 2012 9:34 AM

This article's headline has been updated to reflect the situation more accurately. The vulnerability is significant, demonstrating it can be done to millions of accounts.

Editor In Chief
http://hothardware.com


  • | Post Points: 5
Not Ranked
Posts 2
Points 10
Joined: Oct 2012
SPrakash replied on Thu, Oct 11 2012 10:26 AM

Why did I say hundreds ? I got thousands ! .. I only released a very small portion of it (http://privatepaste.com/3b9c229921) . And the 4 days is with my macros script . But tylers script would give you one result every second ! The script was only blocked after all the media attention !

regards,

Suriya

PS:Edit as appropriate ..

  • | Post Points: 5
Not Ranked
Posts 1
Points 20
Joined: Oct 2012
SMasiello replied on Thu, Oct 11 2012 12:25 PM

So much for responsible disclosure...

  • | Post Points: 20
Not Ranked
Posts 2
Points 10
Joined: Oct 2012
SPrakash replied on Thu, Oct 11 2012 12:55 PM

I gave them 1 month ! .they didnt even reply properly ! http://suriya.me/me-and-facebook-a-cautionary-tale/ read it fully !

  • | Post Points: 5
Not Ranked
Posts 1
Points 5
Joined: Oct 2012

Well... its good that this came out before anyone used the flaw in the wrong way. Kudos for Prakash. Well.. i dont know what you think but i try to not post on Facebook anything that could not be shown public.

 

 

  • | Post Points: 5
Not Ranked
Posts 1
Points 5
Joined: Oct 2012
JMorgan1 replied on Mon, Oct 15 2012 2:59 PM

Yawn, found this out in July, posted it publicly, now some 'expert' discovers it months later when it's been known about since July.

http://i.imgur.com/szCgH.png

  • | Post Points: 5
Page 1 of 1 (8 items) | RSS