Facebook New Vulnerability Allow to view Hidden Friends List - BestCyberNews: Online News Presenter in the present world

BestCyberNews: Online News Presenter in the present world

Start knowing

test banner


Facebook New Vulnerability Allow to view Hidden Friends List

Irene Abezgauz from the Quotium Seeker Research Center identified a security flaw in Facebook privacy controls. The vulnerability allows attackers to see the friends list of any user on Facebook.  This attack is carried out by abusing the ‘People You May Know’ mechanism on Facebook, which is the mechanism by which Facebook suggests new friends to users.

Since this vulnerability renders the privacy control to hide friends lists from other users irrelevant, we hope Facebook will change its mind and this flaw will be addressed.

Facebook is the privileged target for hackers and cyber-criminals, the popular social network is a mine of data that could be used to acquire information on a specific target or to conduct criminal activities involving a large audience.

There are numerous tools that could be exploited to automatize the reconnaissance process through, and numerous are the functionality that could be used for useful researched.

To do this attack first needs to create a new user on Facebook, and send a friend request to the victim.The victim declining the request is irrelevant. At this point Facebook begins to suggest to the attacker people he may know, with the option of clicking a ‘see all’ button for convenience.

The people suggested at this point are the friends of the attacked user to whom the attacker sent a friend request, even when the friends list of the victim is set to private, and the other suggested users also have their friends list private.

The research for this vulnerability we wanted to verify the exact conditions under which this was possible. The friends chosen for the victim were users who also had their friends list set to private. In addition, no interactions took place between the users except for the sending of friend requests. This is data which is not publicly available to any user who is not a friend of the victim.

Facebook responded on this ”If you don't have friends on Facebook and send a friend request to someone who's chosen to hide their complete friend list from their timeline, you may see some friend suggestions that are also friends of theirs. But you have no way of knowing if the suggestions you see represent someone's complete friend list.”

The research of this issue has shown that most of the friends list, often hundreds of friends, is available to the attacker. In any case, even a partial friends list is a violation of user-chosen privacy controls.

1 comment:

  1. Dear All,
    We are going to introduce you a new and exciting world of social network.
    Join now for free and be a part of this fast growing online social community. Enjoy the new features at one place.
    Click Here to Join
    feel free to contact us HERE
    Your precious feedback is highly appreciated
    Best of Luck