If there is one thing everyone takes as common knowledge these days, it's that social networking sites and search engines love to track you. They love every bit of information that you can possibly feed them. They would not be in business without it. But let us say, hypothetically, that there's much more data being shared about you, and the company storing the data refuses to give you control over it?
There comes a time when a line in the sand must be drawn. We need clearly defined legislation that dictates when that line is crossed and what the repercussions should be. We need to clearly document what is considered sensitive information tied to a personal identity versus what should be considered public domain. It is a very complicated and hard discussion.
This past week, we learned that Facebook suffered from a rather intrusive information disclosure vulnerability. It could have happened to anyone (LinkedIn, Google), but it happened to them, and could not have happened at a worst time considering the public outcry over violations of privacy. The issue itself was not built with malice in mind it was simply an oversight. The significance of what it unearthed is the real problem that still remains.
Facebook's long time motto is "move fast and break things". Well, something broke. According to our conversation with Facebook, the bug has been live since last year. A long time friend of Packet Storm, someone we will call Michael Fury, provided details on this finding and we worked with Mr. Fury in conjunction with Facebook to get all the facts. The finding was not some crafty SQL injection issue nor was it some file inclusion attack. It was a good old-fashioned data-mismanagement leak and the social networking giant paid out a hefty bug bounty.
We gives kudos to Facebook for their reaction to their handling of the fix and for being very honest with us. They quickly disabled the functionality to mitigate further abuse and pushed a code fix to keep the issue from happening again. In all, 6 million people were affected.
Let's get down to the details of the information disclosure and why this article is so aptly named. Two bits of functionality must be leveraged in order for this to work - the DYI (Download Your Information) functionality and the ability to upload your contacts. The flow is simple. Upload your contacts and then go to Download Your Information under Account Settings and choose the link at the bottom to get your Expanded Dataset. Hours pass and eventually a link is emailed stating your download is ready. When you open the downloaded archive, there is a file inside called addressbook.html. This file is supposed to house the contact information you uploaded. However, due to a flaw in how Facebook implemented this, it also housed contact information from other uploads other users have performed for the same person, provided you had one piece of matching data, effectively building large dossiers on people. In our testing, we found that uploading one public email address for an individual could reap a dozen additional pieces of contact information. It should also be noted that the collection of this information goes for all of the data uploaded, regardless of whether or not your contacts are Facebook users. We should step through this problem more clearly.
Proof of Concept Use Case
Read more: packet storm