seeing is believing
Facebook: Where Your Friends Are Your Worst Enemies
Posted Jun 21, 2013
Source Packet Storm

Packet Storm has spent 15 years shedding light on dark subject matter. We strongly believe that it is in the interest of the public to give them the facts and let them know the details. The debate over privacy and the extensive overreach by government entities is currently a hot topic in the media and today's announcement will not make anyone feel any better about the situation. However, it does set the stage for a much larger discussion that must be had on a national and global scale.



Social Networks

If there is one thing everyone takes as common knowledge these days, it's that social networking sites and search engines love to track you. They love every bit of information that you can possibly feed them. They would not be in business without it. But let us say, hypothetically, that there's much more data being shared about you, and the company storing the data refuses to give you control over it?

There comes a time when a line in the sand must be drawn. We need clearly defined legislation that dictates when that line is crossed and what the repercussions should be. We need to clearly document what is considered sensitive information tied to a personal identity versus what should be considered public domain. It is a very complicated and hard discussion.

This past week, we learned that Facebook suffered from a rather intrusive information disclosure vulnerability. It could have happened to anyone (LinkedIn, Google), but it happened to them, and could not have happened at a worst time considering the public outcry over violations of privacy. The issue itself was not built with malice in mind it was simply an oversight. The significance of what it unearthed is the real problem that still remains.

Facebook's long time motto is "move fast and break things". Well, something broke. According to our conversation with Facebook, the bug has been live since last year. A long time friend of Packet Storm, someone we will call Michael Fury, provided details on this finding and we worked with Mr. Fury in conjunction with Facebook to get all the facts. The finding was not some crafty SQL injection issue nor was it some file inclusion attack. It was a good old-fashioned data-mismanagement leak and the social networking giant paid out a hefty bug bounty.

We gives kudos to Facebook for their reaction to their handling of the fix and for being very honest with us. They quickly disabled the functionality to mitigate further abuse and pushed a code fix to keep the issue from happening again. In all, 6 million people were affected.

Let's get down to the details of the information disclosure and why this article is so aptly named. Two bits of functionality must be leveraged in order for this to work - the DYI (Download Your Information) functionality and the ability to upload your contacts. The flow is simple. Upload your contacts and then go to Download Your Information under Account Settings and choose the link at the bottom to get your Expanded Dataset. Hours pass and eventually a link is emailed stating your download is ready. When you open the downloaded archive, there is a file inside called addressbook.html. This file is supposed to house the contact information you uploaded. However, due to a flaw in how Facebook implemented this, it also housed contact information from other uploads other users have performed for the same person, provided you had one piece of matching data, effectively building large dossiers on people. In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information. It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users. We should step through this problem more clearly.

Proof of Concept Use Case

1. Bob is done with Eve. They dated 3 years ago and their break up was not amicable. Ever since, Eve has worked hard to make Bob's life hell. She threatens him over email, adds his email address to various spam lists, and spoofs mail as him to his friends telling them to never talk to him again. She posts his phone numbers to the casual encounters section of Craigslist and he spends half his days being harassed by disturbed individuals with weird fetishes. Bob lives in misery. It is obvious that the restraining order isn't working. He decides to change all of his phone numbers and email addresses, and contacts his friend Alice to give her his new information. Unfortunately, Alice just adds his new contact information into her phone alongside the other records she has for Bob.

2. Alice uploads her contact list into Facebook. Her contact information for Bob includes his old email address, bob@widgets.xy, and his new email address, bob@eveisevil.xy. It also has his new phone numbers.

3. Eve uploads her contact list into Facebook. Her contact information for Bob simply includes his old email address, bob@widgets.xy.

4. Eve downloads her expanded dataset. Facebook automatically maps the new information for Bob to his old email address, bob@widgets.xy, since both datasets have that matching piece of information. In her download, the addressbook.html file contains not only bob@widgets.xy but also bob@eveisevil.xy and his new phone numbers. The cycle continues. You can run Bob, but you can never hide.

Facebook never intended for this to publicly happen and the correct behavior is for you to only be able to view the contact information you uploaded. During the entire ordeal, we were able to have a very open dialog with them and they, to their credit, agreed to answer some questions about the issue and we both agreed upon performing a joint disclosure.

Facebook's Responses

The team at Packet Storm knows multiple people wearing various hats at Facebook. There is no question that a primary goal of the company is to protect their user base. They take this very seriously. After all, without the trust of their users, they have no company.

It was clear that Facebook attacked the disclosure flaw properly, but concerns still remain about the fact that dossiers are being built on everyone possible. We had to ask hard questions. The fact that I have no control over additional email addresses and phone numbers added to their data store on me is frightening. The questions we asked were very to the point but carefully constructed to reflect an equal balance between usability and user safety. After all, my personal safety is paramount at Facebook right?

Maybe not. Our first question asked that, in the name of common decency and privacy, would Facebook ever commit to automatically discarding information of individuals that do not have a known Facebook account? Possibly age it out X days if they don't respond to an invite due to a friend uploading their information without their knowledge?

Their response was essentially that they think of contacts imported by a user as the user's data and they are allowed to do with it what they want. To clarify, it's not your data, it's your friends. We went on to ask them if Facebook would commit to having a privacy setting that dictates Facebook will automatically delete any and all data uploaded about me via third parties ("friends") if it's not in scope with what I've shared on my profile (and by proxy, is out of band from my privacy settings)?

We were basically met with the same reasoning as above and in their wording they actually went as far as claiming that it would be a freedom of speech violation.

Freedom of Speech

Using the freedom of speech angle shirks responsibility and it is sad to see this is their best defense for inaction. The request for privacy controls around my personal data does not seem unreasonable. For one, a contact list may be my friend's list, but the data is mine. When Facebook stores a credit card number for me, I'm certain they understand very clearly that it is my data and they are a custodian of my data. The same should apply to a contact list uploaded by someone. It is still my PII (Personally Identifiable Information) regardless of who puts it there and Facebook is still correlating it to my identity, ready to be compromised by malicious parties.

It is now publicly known that Facebook has all of this correlated information (or if it's not now, it can be) and everyone (read: governments and criminals alike) are going to aim for it, whether legally or illegally. Even if Facebook's security never has a flaw again, they still have to contend with the fact that they have thousands of employees and it just takes one person to leverage this data for malice. Basic takeaway: Facebook feels that your friends should have more control over your data than you. This is not the first time this issue has been pointed out. Twitter is not much better, but at least they purge the data after 18 months, so why can't Facebook?

This disclosure of the incident is not meant to cast a negative perception of Facebook. I'm a fan and user of the site as are many close family members and friends. However, this handling of personal data causes me to fear for everyone's safety. I would consider deleting my account, but based on the fact that this affects me regardless of whether or not I'm a user just makes the decision an exercise in futility. I hope that Facebook takes into account the adverse effects of their behavior and brings our questions back to the decision making table. They have the ability to make a really positive change that sets the standard in the valley for security of user data. Alternatively, another social networking site might take this opportunity to highlight that this behavior will not happen on their systems, and a mass exodus of Facebook may occur, though we doubt that very much. What we need are governments to enact legislation that forces the hand, but given recent news items in the United States, it is clear that not all governments are making this a top priority. Maybe they will reconsider once they realize this could be used against everyone, themselves included. If nothing else, we hope that explaining the concern reignites the discussion for corporate responsibility in social networks.

To sum things up, an information leak in Facebook has highlighted the dangers of hoarding user data. Facebook reacted to the incident in a responsible manner in order to fix the leak. What is not fixed, is their policy. They will continue to maintain dossiers with your personal information without giving you any control over it. They simply claim it is not your data, it is your friend's. Facebook claims they will not disclose this additional information to the government when requests are received, but it still has the world's largest target painted on it asking for trouble.

tags | headline, government, privacy, email, phone, data loss, flaw, facebook, social, twitter, nsa

Comments (2)

RSS Feed Subscribe to this comment feed
todd

Follow up story here: packetstormsecurity.com/news/view/22727/Fac…

Comment by todd admin
2013-06-26 17:53:08 UTC | Permalink | Reply
ironbits

very interesting!

Comment by ironbits
2013-10-04 19:24:25 UTC | Permalink | Reply
Login or Register to post a comment

Top Authors In Last 30 Days

News Tags

packet storm

© 2016 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close