Facebook for Android is vulnerable to a permission issue which allows anyone with physical access to the Android device, to accept friend requests without unlocking the phone. Facebook does not consider this a security issue. Version 29.0.0.29.120 on Android 10 is affected.
e54d6e154978012b0aed910e35f2436d413df80ed4bf904c047a72d72574f97fAuthor - Sivanesh Ashok | @sivaneshashok | stazot.com
Date : 2021-08-03
Vendor : https://facebook.com/
Version : *
Tested on : Version 329.0.0.29.120, Android 10
Last Modified : 2021-08-10
--[ Bug Description
Facebook for Android is vulnerable to a permission issue which allows
anyone with physical access to the Android device, to accept friend
requests without unlocking the phone. The bug works when the device's lock
screen notification setting is set to "Show sensitive content when locked".
The victim user who set "Show sensitive content when locked", would not
know that the app also allows such sensitive action to be performed when
locked.
An attacker who has access to the victim's locked phone will be able to add
the victim as a friend and collect personal information about the victim
such as email, DoB, check-ins, pictures and other information that the
victim shared to be visible only to their friends.
--[ Steps to reproduce
As the attacker:
1. Get your hands on the victim's locked phone.
2. Send friend request to the victim.
3. See the notification about your friend request on the victim's locked
phone.
4. Expand the friend request and touch the Confirm button.
5. Note that you are now friends with the victim.
6. Check the information that the victim has shared only with their friends.
--[ Proof of Concept
Here is a video PoC of this bug - https://youtu.be/RbBspN-0r-U
--[ Responsible Disclosure
I reported the bug to Facebook, and they seem to not consider this a valid
security, "as the user is in control of their notifications and can prevent
this kind of scenarios by adjusting their phone's settings". An interesting
decision, since the user only wants to "Show sensitive content when
locked", and not "Modify sensitive content when locked". Also, other push
notifications on Facebook/Messenger/Instagram do not behave the same. So, I
think it is worth a patch. Wonder if Facebook will consider it a security
risk if it was possible to accept follow requests to a private Instagram
account from a locked phone.
--[ Contact
Name : Sivanesh Ashok
Twitter : @sivaneshashok
Website : https://stazot.com
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed