Archive for August, 2010
Attack of the Facebook Harvesters
Author: vid | Filed under: social mediaUPDATE 16 Aug 2010 4:09 PM GMT : Facebook Execs have been contacted, (well through the emails discovered) and notified of this issue. They are looking into it already. But the issue still remains.
A few days ago, I heard about a facebook bug where if you try to login using a facebook user’s email account and wrong password you will be shown the user’s real name & profile picture. Spammers could have possibly used a simple script as the one put up by one Atul Agarwal (the person who initially noticed the “bug / feature / vulnerability”) in a full disclosure mailing list here
But luckily Facebook fixed it so that, this would apparently be shown only if the browser has the cookies for that particular user.
This put an end to the can of worms the “bug” could have opened up especially better phishing, what with the photos and names etc, temporarily. Yes you saw it right, I said “temporarily“!
In this article I would like to highlight another way to accomplish the same end result.
Background
But before that let me point out to a nifty feature in Facebook – the reverse email searching for a facebook user. If you didn’t know it before, basically you can search for a user by email(if you know it). This is quite nifty as it helps bridging your email contacts and your facebook friends.
Alright then, what does this imply? Anybody with the knowledge of your email account can look up for your email in facebook and find your profile. In reality this wouldn’t be dangerous, unless people with malicious intent know your email account. Well if they do, they have a treasure trove of information to send you more convincing “phishing emails” or do a brute force attack on your passwords. Most people use bits and pieces of information on their Facebook profile like Name,Hometown,Birthday for their emails and passwords making them an easy prey for such malicious activities.
The Real Deal
But let us go one step further and believe that “everyone who knows your email account is good” and wont try to hack for your passwords. So now unless and until someone is able to do a brute force check on possible email accounts through a script and check facebook if that email account has an account and if so get other related details.
To do it manually, will for obvious reasons be tiring. And you can’t crawl through facebook.com site search as it will block out all bots but perhaps Google, Bing & Yahoo. But what you can do is and which has been tested by me first hand is to use Facebook’s own Graph APIs
As mentioned in the API documentation, you can search through facebook for people using something like
https://graph.facebook.com/search?q=query&type=user
So if you replace the query with any email account you are trying to check if it exists in facebook, it will return you the name, first name, last name,id, picture and hence the profile of the user. Of course you need to register for a Facebook application and use it and get the authorization (Oauth) of a user to make this call, but when that user can be anyone including the “spammer” himself with a Facebook account it matters little. And at least to my knowledge Facebook is not monitoring these calls as they would be thought to be harmless. Neither do they check if someone is storing that data or not. This has been a strongly debated point ever since the application platform had been introduced. Chris Soghoian nailed it in his post in CNET on January 23,2008 by saying that he can only assume that Facebook has a team of trained psychics on staff who use their mysterious powers to ferret out rogue developers.
The Solution
An easy temprorary fix might be to not allow this call with an email query and I really hope they do it real soon or at least fix it in some other way. All we can do in the meantime, is to keep our email accounts secure by choosing longer, hard to guess names and have equally strong passwords.
Oh and also as part of my POC, I devised a script to get emails of those with facebook.com domain. Here are the results I got in 30 mins of code. (Imagine the implications if I was able to do this on gmail.com, yahoo.com etc, with more time, more server power) You might even recognize a few of them. Either way now you could possibly email the Facebookers directly to tell them how you feel about all this.
Vid
Senior Developer
http://www.savantdegrees.com
Most Popular
- HOWTO: PHP and jQuery upload progress bar (56)
- JQuery Progress Bar 1.1 (53)
- Howto: Repackageable custom extension development in Magento - Part 2 - Admin Controller (25)
- JQuery Progress Bar 2.0 (21)
- Howto: Repackageable custom extension development in Magento - Part 8 - CRUD - Update (18)
- HOWTO: struts 2 i18n (16)
- Howto: Repackageable custom extension development in Magento (12)
- JQuery Progress Bar 1.2 (11)
- Howto: Repackageable custom extension development in Magento - Part 9 - Frontend - List (10)
- Howto: Repackageable custom extension development in Magento - Part 3 - Database (9)
Recent Comments
- Karen: Great work around-thank you!!
- Sheldon: awesome possum!
- cmstop里所使用的有用的jquery插件 » Terry's Blog: [...] http://t.wits.sg/jquery-progress-bar/ 这篇日志的 t.cn [...]
- Lakshyami: Hi, Thank you very much for
- New site feature: User Poll « TechnoStripe: [...] progress bar used to
- seo agentur: @Krish Why do you need to
- 2kai: Hi Aromal, you need to flush
- Rob Rasner Magic Castle: I love what you guys
- รับทำเว็บไซต์: Thx for this. Nice and
- Lexus: ESxtYC I'm not easily impressed.
Latest Entries
- SD in the Community: Product Management Panel Recap
- Mac OS X and Ricoh Aficio C2051 - Making Printing "Just Work"
- How to impress your recruiter
- Thoughts on Attracting the attention of the Best Hires
- The Greg Syndrome
- The Parental Manager
- Attack of the Facebook Harvesters
- jQuery Progress Bar Configuration
- Extracting email addresses from inbox
- 10 Good (Free and Legal) Source for Photos and Images