Making Facebook secure place - FQL security issue
Last weekend I was lucky to notice on line “hacker” challenge - Miracle on Thirty-Hack Street . I tough let me try this challenge …
I start solving the puzzle and then I got more than a solution of the task. Final conclusion was the following :
I have no privacy from FQL developers on Facebook ( anyone with Facebook account can use FQL ) . They can see my data without being in my friend list … :( .
Let say there are Person A, Person B, Person C, Person D, Person E … on facebook and they are connected on the following way :
Person A is friend with Person B, but not with Person C, Person D and Person E
Person B is friend with Person C, but not with Person D and Person E
Person C is friend with Person D, but not with Person E
Person D is friend with Person E
…
All of the persons are standard Facebook users, they don't have any mandatory applications installed on their accounts and they have locked their profiles to be viewed only by their friends.
This means that Person A can see the informations only for Person B.
“<=>” - can see profile and shared informations.
Person B <=> Person C
Person C <=> Person D
Person D <=> Person E
What does security flaw allow Person A.
With the current security setting on FQL ( Facebook Query Language ) Person A is allowed to see the all informations from Person C, Person D and Person E !!!
Wow this is a huge security flaw that guide us to the conclusion: I don't have privacy from all of the Facebook developers that use FQL !!!.
They are able to create FQL statement that will provide them my Facebook informations if they manage to find/create lane described on the image above. Then I understand that all of the friends of my friends that understands FQL can see all of my protected data …
Proof of the previous:
Let say I'm Person A and I'm a friend from the above with Person B. I'm not friend with Person C but I want to see his data : His status messages, his photo albums and pictures, notes, …
All I need then is the following – ID numbers of their accounts.
What is ID of the account / user. Facebook url have the following structure www.facebook.com/profile.php?ref=name&id=this_number_is_user_id and can be viewed by everyone. Just go to the Person B friend list and mouse over the Person C link. In the status bar of the browser you will be able to his/her user_ID. Now when I have the the needed info I can do the following :
info I have :
Person A : user_A_id
Person B : user_B_id
Person C : user_C_id
I want to see Person C albums if there are any. After executing the following FQL i'll have the needed informations :
select
aid,
cover_pid,
name,
created,
description,
location,
size,
link,
visible,
type
from
album
where
owner
in
(
select
uid1
from
friend
where
uid1 =user_C_id ( this is the victim and I want his data without being friend )
and
uid2
in
(
select
uid1,
uid2
from
friend
where
uid1 = user_A_id ( this is me )
and
(
uid2 = user_B_id ( this is my friend )
or
uid1 = user_B_id ( this is my friend )
)
)
)
Perfect !!!
I have the Person C photo albums id's so now I can create statement for getting victims images in it.
Note: Permissions on the albums doesn't change nothing!!!
( I can't see the profile from a browser or get any info from it - just add as friend )
What does this mean. I can take absolutely all of the data from Person C only because facebook understands the following :
I have valid session for executing query because I have included mine ID and perform allowed query for my friend Person B, but platform doesn't check that I have included forbidden resource. ( yup I can't discover from facebook frontend )
Then I can access only allowed data ( mine and allowed data from my friends ) - fail ! I can takePerson C data. ( yup I can't see anything from the FB web interface )
With the previous statement I connect uid from the albums table with the uid of the victim. Now this is example with Person A, Person B and Person C, but previous example give us way to make/find unlimited lane of users and get their personal info not shared with us.
For extra informations for testing I'll point all of you at this pages :
http://wiki.developers.facebook.com/index.php/FQL_Tables
and ofc tool for testing trying the FQL statements.
http://developers.facebook.com/tools.php ( API test console and choose method fql.query ). Write your query in text area and see your results.
At this moment I'm going to poke the FB service for this security flaw, so they can make reaction and we can “live” in more safe community without mean web developers look everyone photos :) .
# re: Making Facebook secure place - FQL security issue
top
# re: Making Facebook secure place - FQL security issue
braos bracka
# re: Making Facebook secure place - FQL security issue
ubav research, garant bi go probal koga ke mi treba nekoj/a fejsbukerski info ili ako kesira nekoj za info :)
# Facebook: falla de seguridad en FQL permite acceder a informaci??n privada | Shadow Security
Pingback from Facebook: falla de seguridad en FQL permite acceder a informaci??n privada | Shadow Security
# re: Making Facebook secure place - FQL security issue
Aferim
# re: Making Facebook secure place - FQL security issue
bravo
# re: Making Facebook secure place - FQL security issue
zver si, bravo, mkdot.net se gordee so tebe
# re: Making Facebook secure place - FQL security issue
thx to all! Just to make things much more clear :) . Query presented will work only in one case. What is the case ?! :) I didn't post that info just to prevent getting personal information's from "protected" users :). Any FB developer will understand the catch in seconds.
# Twitter Trackbacks for Making Facebook secure place - FQL security issue - Slavco's Blog [mkdot.net] on Topsy.com
Pingback from Twitter Trackbacks for Making Facebook secure place - FQL security issue - Slavco's Blog [mkdot.net] on Topsy.com
# Twitted by zerial
Pingback from Twitted by zerial
# [ENG] Fallo de seguridad en el lenguaje de consultas de Facebook (FQL)
Pingback from [ENG] Fallo de seguridad en el lenguaje de consultas de Facebook (FQL)
# Social comments and analytics for this post
This post was mentioned on Twitter by sleepy: mkdot.net/.../11338.aspx
# Falla de seguridad en Facebook permitir??a el acceso a informaci??n privada : Blogografia
Pingback from Falla de seguridad en Facebook permitir??a el acceso a informaci??n privada : Blogografia
# re: Making Facebook secure place - FQL security issue
It doesn't work!!!
# re: Making Facebook secure place - FQL security issue
Works check previous comment and explore a bit and analize friends table. :) i hope you will get a point
# re: Making Facebook secure place - FQL security issue
Now its fixed really?
# re: Making Facebook secure place - FQL security issue
I'm testing this and so far it's not working for me if the photo album visibility is set to "Only Friends"... are you still seeing it?
If your original test was on the photo albums for Kris Cringle in the challenge, those have visibility set to "Everyone" as I recall - I pulled them up without friending Fred Gailey.
# re: Making Facebook secure place - FQL security issue
Just saw your comment - I wish that had been made clearer. I'll keep investigating.
# re: Making Facebook secure place - FQL security issue
Would you mind e-mailing a working FQL query to theharmonyguy@gmail.com? I will give all credit to you, I just want to confirm this before I post on it.
# re: Making Facebook secure place - FQL security issue
After more investigation...
@slavoc, how is this different from executing the query "SELECT aid, cover_pid, name, created, description, location, size, link, visible, type FROM album WHERE owner=user_C_id"? If Person C sets the visibility on their photo albums (via www.facebook.com/privacy) to "Only Friends", the albums will not be returned by the query. FQL queries only rely on the session making the request - I don't see how adding other queries would somehow spoof another session...
# re: Making Facebook secure place - FQL security issue
That last link should have been www.facebook.com/privacy/ followed by ?view=photos
# re: Making Facebook secure place - FQL security issue
please see conditions under www.ethicalhacker.net/.../2 try to solve the puzzle and you will get the point. That was my inspiration to go deep into this :)
# re: Making Facebook secure place - FQL security issue
@theharmonyguy please note that including my ID into query I make valid session on the platform ;)
# re: Making Facebook secure place - FQL security issue
@slavco In your post you said this:
"Note: Permissions on the albums doesn't change nothing!!!"
However, my testing is showing that permissions on the albums is everything. If I set an album to "Only Friends," I can't get this to work. If you're talking about albums that are set to "Friends of Friends" or "Everyone," then I don't see what you've proven.
btw I've already solved the challenge and am still not seeing the point. Also, every query is tied to the ID of the session making the request - if I use the Test Console while logged in as Person A, all queries are made as if from Person A.
# re: Making Facebook secure place - FQL security issue
ok,
think little!
what info holds friends table ?
What is the info we can get from that table and please check the challenge www.ethicalhacker.net/.../2
ofc if you understand what they say there !!!
# re: Making Facebook secure place - FQL security issue
@theharmonyguy sorry for 2 reasons :
1. my "wooden" English
2. didn't read your answer careful.
I have altered the text give 2/3 extra informations and I don't want to expose the answer until the challenge ends.
# re: Making Facebook secure place - FQL security issue
I solved the challenge as well have to side with HarmonyGuy and also don't understand what this is supposed to achieve. My guess is that all the nested IN statements somehow "export" (to coin a phrase) the trust between User A and User C to allow me to see User D. I can't make the query work to do that either. It works just fine to see User C's data, but then, there is an easier way to do that:
select pid, aid, owner, src_big, link, caption from photo where aid in (select aid from album where owner = 'UserC-ID')
Perhaps I a missing something fundamental, but I don't see why we need to use the IN ( SELECT uid1,uid2... portion of the queries.
Anyone have more clarity?
# re: Making Facebook secure place - FQL security issue
@slavco From seeing your updates, I think you may be highlighting Facebook's "security through obscurity." Just because certain information is not easily accessed through Facebook's web interface does not mean it's completely protected. I discussed this on my blog regarding photo albums (theharmonyguy.com/.../with-facebook-privacy-everyone-means-everyone) and friend lists (theharmonyguy.com/.../easily-view-hidden-facebook-friend-lists).
What you're loading through FQL queries may not show up in Facebook's web interface, but is still consistent with the permissions set by the user who owns the content.
# re: Making Facebook secure place - FQL security issue
This doesn't seem to work on protected albums. I think it returns the same results as that bookmarklet that's been going around... please correct me if I'm wrong!
# Burlan la privacidad en FaceBook « Geek, Moviles y Series
Pingback from Burlan la privacidad en FaceBook « Geek, Moviles y Series
# Sysadmin Haiku » Accediendo a la informaci??n privada en FaceBook
Pingback from Sysadmin Haiku » Accediendo a la informaci??n privada en FaceBook
# re: Making Facebook secure place - FQL security issue
there is no problem here. of course fb developers can create queries...
# re: Making Facebook secure place - FQL security issue
Greetings!
This article does not appear to show any security issue with FQL.
# re: Making Facebook secure place - FQL security issue
ninguna de estas búsquedas me funcióno si alguno de la cadena no es mi amigo.
quizá, quien hizo esta búsqueda ejemplo de A-B-C no tuvo en cuenta que C pudo haber abierto recientemente su perfil para "amigos de los amigos", y no me resultó la de A-B-C-D (o se está omitiendo info crucial para que todo esto funcione)
hay que tener en cuenta que recientemente hubo en FB una transición entre antiguo y nuevo esquema de configuraciones de privacidad, en la que algunos usuarios, por mero descuido, dejaron demasiado abiertos sus perfiles.
# re: Making Facebook secure place - FQL security issue
seguramente ud tampoco ha obtenido nada, and you're just bluffing...
# re: Making Facebook secure place - FQL security issue
Your blog keeps getting better and better! Your older articles are not as good as newer ones you have a lot more creativity and originality now keep it up!
# re: Making Facebook secure place - FQL security issue
Response is norway !
# Facebook: falla de seguridad en FQL permite acceder a informaci??n privada | SinapsysMx.Net
Pingback from Facebook: falla de seguridad en FQL permite acceder a informaci??n privada | SinapsysMx.Net
# re: Making Facebook secure place - FQL security issue
I read with pleasure your article thanks
# re: Making Facebook secure place - FQL security issue
I cannot believe this will work!
# re: Making Facebook secure place - FQL security issue
can be done by modifying a web url as well ...not just through fql
yes the article raises the concerns of the new privacy feature but no its not a security issue as its based around settings and requires a half trusted connection i.e. they are still a friend of a friend you cant create an account and just visit someones protected information you require a base link
# re: Making Facebook secure place - FQL security issue
I cannot believe this will work!
# re: Making Facebook secure place - FQL security issue
Great idea, thanks for this tip!
# re: Making Facebook secure place - FQL security issue
I cannot believe this will work!
# re: Making Facebook secure place - FQL security issue
I tested, while it returns results, I'm not sure its highlighting a permissions issue with Facebook. I can still only see albums set with 'Everyone' and Friends of Friends permissions, and cannot see ones where settings are correct.