Last weekend I was lucky to notice on line “hacker” challenge - Miracle on Thirty-Hack Street . I tough let me try this challenge …I start solving the puzzle and then I got more than a solution of the task. Final conclusion was the following : I have no privacy from FQL developers on Facebook ( anyone with Facebook account can use FQL ) . They can see my data without being in my friend list … :( .
Let say there are Person A, Person B, Person C, Person D, Person E … on facebook and they are connected on the following way :
Person A is friend with Person B, but not with Person C, Person D and Person E
Person B is friend with Person C, but not with Person D and Person E
Person C is friend with Person D, but not with Person E
Person D is friend with Person E
…
All of the persons are standard Facebook users, they don't have any mandatory applications installed on their accounts and they have locked their profiles to be viewed only by their friends.
This means that Person A can see the informations only for Person B.
“<=>” - can see profile and shared informations.
Person B <=> Person C
Person C <=> Person D
Person D <=> Person E
What does security flaw allow Person A. With the current security setting on FQL ( Facebook Query Language ) Person A is allowed to see the all informations from Person C, Person D and Person E !!!
Wow this is a huge security flaw that guide us to the conclusion: I don't have privacy from all of the Facebook developers that use FQL !!!. They are able to create FQL statement that will provide them my Facebook informations if they manage to find/create lane described on the image above. Then I understand that all of the friends of my friends that understands FQL can see all of my protected data …
Proof of the previous:
Let say I'm Person A and I'm a friend from the above with Person B. I'm not friend with Person C but I want to see his data : His status messages, his photo albums and pictures, notes, …All I need then is the following – ID numbers of their accounts.
What is ID of the account / user. Facebook url have the following structure www.facebook.com/profile.php?ref=name&id=this_number_is_user_id and can be viewed by everyone. Just go to the Person B friend list and mouse over the Person C link. In the status bar of the browser you will be able to his/her user_ID. Now when I have the the needed info I can do the following :
info I have :
Person A : user_A_id
Person B : user_B_id
Person C : user_C_id
I want to see Person C albums if there are any. After executing the following FQL i'll have the needed informations :
select aid, cover_pid, name, created, description, location, size, link, visible, typefrom album where owner in( select uid1 from friend where uid1 =user_C_id ( this is the victim and I want his data without being friend ) and uid2 in ( select uid1, uid2 from friend where uid1 = user_A_id ( this is me ) and ( uid2 = user_B_id ( this is my friend ) or uid1 = user_B_id ( this is my friend ) ) ))
Perfect !!!
I have the Person C photo albums id's so now I can create statement for getting victims images in it.
Note: Permissions on the albums doesn't change nothing!!!( I can't see the profile from a browser or get any info from it - just add as friend )
What does this mean. I can take absolutely all of the data from Person C only because facebook understands the following :
I have valid session for executing query because I have included mine ID and perform allowed query for my friend Person B, but platform doesn't check that I have included forbidden resource. ( yup I can't discover from facebook frontend )
Then I can access only allowed data ( mine and allowed data from my friends ) - fail ! I can take Person C data. ( yup I can't see anything from the FB web interface )
With the previous statement I connect uid from the albums table with the uid of the victim. Now this is example with Person A, Person B and Person C, but previous example give us way to make/find unlimited lane of users and get their personal info not shared with us.
For extra informations for testing I'll point all of you at this pages :
http://wiki.developers.facebook.com/index.php/FQL_Tables
and ofc tool for testing trying the FQL statements.
http://developers.facebook.com/tools.php ( API test console and choose method fql.query ). Write your query in text area and see your results.
At this moment I'm going to poke the FB service for this security flaw, so they can make reaction and we can “live” in more safe community without mean web developers look everyone photos :) .
top
braos bracka
ubav research, garant bi go probal koga ke mi treba nekoj/a fejsbukerski info ili ako kesira nekoj za info :)
Aferim
bravo
zver si, bravo, mkdot.net se gordee so tebe
thx to all! Just to make things much more clear :) . Query presented will work only in one case. What is the case ?! :) I didn't post that info just to prevent getting personal information's from "protected" users :). Any FB developer will understand the catch in seconds.
It doesn't work!!!
Works check previous comment and explore a bit and analize friends table. :) i hope you will get a point
Now its fixed really?
I'm testing this and so far it's not working for me if the photo album visibility is set to "Only Friends"... are you still seeing it?
If your original test was on the photo albums for Kris Cringle in the challenge, those have visibility set to "Everyone" as I recall - I pulled them up without friending Fred Gailey.
Just saw your comment - I wish that had been made clearer. I'll keep investigating.
Would you mind e-mailing a working FQL query to theharmonyguy@gmail.com? I will give all credit to you, I just want to confirm this before I post on it.
After more investigation...
@slavoc, how is this different from executing the query "SELECT aid, cover_pid, name, created, description, location, size, link, visible, type FROM album WHERE owner=user_C_id"? If Person C sets the visibility on their photo albums (via www.facebook.com/privacy) to "Only Friends", the albums will not be returned by the query. FQL queries only rely on the session making the request - I don't see how adding other queries would somehow spoof another session...
That last link should have been www.facebook.com/privacy/ followed by ?view=photos