December 24, 2013

Facebook, Only Me... really??

In my quest for finding bugs on the internet in my free time, I stumbled upon some information disclosure / privacy settings violation issues on Facebook and reported them promptly (after 2 months of discovery :P). Facebook took them seriously and responded promptly (again 1~2 months after the report) and fixed one of them. This entry describes how anyone could find out the information which you have entered in your profile but kept it hidden (Privacy settings == Only Me) just by becoming your friend. 

This is going to be the lamest / non-technical bug you are ever going to see. So brace yourself.

First, the victim has to set the information which he doesn't want to disclose with privacy settings as "Only Me".

Second, The attacker adds the victim as a friend. Remember, for this "attack" to work, the victim has to be the only friend in attackers friends list. Either the attacker creates a new profile and adds victim as a friend or unfriends all the friends but the victim, anything can work.


Third, attacker goes to update his profile. When he clicks on the textbox to enter the information, Facebook, trying to be helpful, conveniently displays suggestions which are nothing but the values which victim has entered and kept private even from his friends. TADA! Privacy violations!!



Sometimes being helpful does not mean being nice. 

No matter how lame, it was privacy violation. Facebook accepted it and fixed it. Kudos to them. No such helpful suggestions are shown if your privacy settings are set to "Only Me".