Skip to main content

Posts

Showing posts from December, 2013

Facebook, Only Me... really??

In my quest for finding bugs on the internet in my free time, I stumbled upon some information disclosure / privacy settings violation issues on Facebook and reported them promptly (after 2 months of discovery :P). Facebook took them seriously and responded promptly (again 1~2 months after the report) and fixed one of them. This entry describes how anyone could find out the information which you have entered in your profile but kept it hidden (Privacy settings == Only Me) just by becoming your friend. 

This is going to be the lamest / non-technical bug you are ever going to see. So brace yourself.

First, the victim has to set the information which he doesn't want to disclose with privacy settings as "Only Me".

Second, The attacker adds the victim as a friend. Remember, for this "attack" to work, the victim has to be the only friend in attackers friends list. Either the attacker creates a new profile and adds victim as a friend or unfriends all the friends but the …