Facebook: A Privacy Error ??

-

If you want to identify your facebook account there are 3 ways you can Identify yourself:

1. Provide your e-mail ID.
2. Provide your Phone number (If you have given this in you profile).
3. Provide your user ID(your unique id assigned by the facebook).

Screenshot below shows the page (https://www.facebook.com/login/identify?ctx=recover) to identify your account in case you want to recover.


The other way to look into this is this can also be misused to validate someones phone number. Let say my phone number is 9739141XXX. I put it there and I see myself.So the phone number and profile relation can be seen successfully.


But I have kept my privacy settings to most secure that "Only Friends"(shown in screenshot below) can look to my phone numbers. Isn't this is a privacy breach.


But here is the catch.Facebook is smart and keeps the log of Public IPs you are coming from. If you have logged in from the same Public IP before this privacy settings can be bypassed.And hence threat is limited to the users those who are sharing their public IP with others like cyber cafes, corporate offices etc. So if you are coming from a new public IP this is what you will get.


Facebook will confirm that this is a valid FB users number but the phone number and profile relationship can not be established. But this could be used to profile the valid phone numbers. Well I will elaborate on this on my next post.

I reported this issue to Facebook and this is what reply I got after multiple round of communication, discussions. Facebook was keen enough to know it more and the support was quite good.This is the final mail from them:

Hi Shashank,

I believe it is more than just ip but I do know ip is part of it. I believe it is not so much if you are coming from a given IP (cyber cafe in example) right at that moment but if over time we have seen you come from the same computer or ip a number of times.

I believe this to be safe. The worst case scenario here is that in the process of brute-forcing phone numbers you get lucky and run across someone in the same cyber cafe as you, you can learn their first/last name. Since brute-force protections are in place to stop you after some number of requests (1000 would be a reasonable guess) I find this scenario very unlikely.

I appreciate your continued effort with this issue but I dont think this has big security implications.

Thanks,

Emrakul
Security
Facebook










Comments

  1. UnknownDecember 14, 2019 at 4:21 PM

    01797516521

    ReplyDelete
  2. UnknownSeptember 4, 2021 at 10:52 PM

    Please how can I get back my hacked Facebook account the person that hacked it have changed phone number and password

    ReplyDelete
  3. FloxblogAugust 24, 2022 at 10:22 PM

    Owo,Its very informative article, thank you for sharing your valuable information.I have also an article about Facebook privacy.Thank you!!!

    ReplyDelete

Post a Comment

Popular posts from this blog

DevSecOps Expeditions

-
During these lockdown times, when everyone is confined at home, it is a good time for all of us to upgrade our skills. I am a DevSecOps promoter and supported multiple organizations in implementing secure SDLC. I wanted to gain more depth in DevSecOps and was looking a good handon training. That's when I came across this training CDP - Certified DevSecOps Professional ( https://www.practical-devsecops.com/certified-devsecops-professional/ ). The course is beautifully designed to instill relevant concepts in the learner. The course has taken a practical approach to learning. Material is self-explanatory and the learner can take his own time to go through the videos and documents to learn at its own pace. There is a 30-day lab included which can be extended if required. Lab exercises can be practiced and if anywhere you are stuck trainer Imran ( https://twitter.com/secfigo ) himself helps you to get through the obstacles. The course helps to learn to design CICD pipelines using
Read more

Capturing the Naughty app Traffic in Burpsuit

-
Image
While performing the pen-testing of one of banking apps we came across challenge of capturing the traffic in the burp. App being naughty was bypassing burp proxy and we were not able to capture the requests/responses. Reversing the app we came to know it was built on  Xamarain. To proceed with the pentest it was important to capture the requests in the burp proxy. Then we came across following link (Big thanks for this): https://gist.github.com/gameFace22/3afedd1309960249fa7fcb1360e40fd3 And it did work ! Just for my notes keeping the steps. Step 1: Switch off the wifi of the macbook and connect it to your phone hotspot. Connect it either by using cable to by bluetooth. Not by wifi ! Step 2: Go to System preferences-->Sharing-->On the internet sharing. See the pic. The internet which macbook gets from hotspot is shared by macbook. Macbook will start it's own hotspot ! Step 3: Now some command need to run to tell the macbook to route the traffic recei
Read more