![]() The app works on both our phones yet the friends list is empty. And when I ran the application on my phone I did not see his name in the friends list.ĭoes anybody know why I can't see his name on my friends list? But when he clicked Select friends it was still empty. Then, on Eclipse, I ran the application on his phone. I added my brother as a Tester for the app and he clicked accept in his Facebook Developers page. When I click select friends, the list of friends is empty. I successfully completed the Login and Personalize steps. ![]() It first creates a Related List of users, and in the second phase, searches through this list to find mutual friends, resulting in an output file with a complete friends list.I am following the Facebook SDK Scrumptious tutorial. The tool automates the attack methodology described above (apart from the last recursive phase). To drive the point home, I wrote a POC tool that shows how such easy it is for anyone to hack your hidden friends list. Introducing “Facebook Hidden Friends Crawler” (fb-hfc) Repeat the search for mutual friends, with the mutual friends accounts identified (in previous phase), whose Friends List is public.Run a “brute force” search to cross-reference with Mark’s Friends List, using the Mutual Friends URL for each of the related users.Create a list of all the related users who have their Friends List privacy settings configured as public.For the case of User#4 (Mark Zuckerberg), we want to find people that work at Facebook and live in United States. A simple graph search gathers a list of potential friends for Mark based on a common feature.So the next obvious step is to run a query that exposes Mark’s entire friends list. My job is to figure out how attackers could access data they’re not supposed to. Couldn’t Facebook just call this “Display Settings”?īut I’m not an interface designer. They’ll also be able to see mutual friends on your timeline.’īasically, Facebook is saying: “You can edit your privacy settings, but they’re not really privacy settings”. If people can see your friendship on another timeline, they’ll be able to see it in News Feed, search and other places on Facebook. We include this explanation alongside the friend list visibility setting: ‘Remember: Your friends control who can see their friendships on their own timelines. We do not consider this to be a privacy issue. Huh? Didn’t Mark explicitly choose to keep his friends list hidden? Here’s what Facebook had to say: Follow this link:Īs we can see, Chris shares 61 mutual friends between with Mark (which of course means Mark has those 61 friends as well). Here’s where it gets interesting – what if we wanted to see the friends both Chris and Mark share? No problem. So while the company’s CEO prefers to keep his friends list hidden, Chris is OK with sharing his list with the public (you and me). The first one is Facebook Founder and CEO Mark Zuckerberg (user #4) whose friend list privacy settings are switched on, and the second member is co-founder Chris Hughes (user number #5) whose friend list is public. ![]() Let’s look at two Facebook members as an example: So if two Facebook members share the same friends, these friends will appear on the Mutual Friends list even if that member chose to keep the Friends List hidden (for no one else to see). For instance, if you’re friends with Chris, and Mark is friends with Chris, then Chris will be shown as a mutual friend when you’re viewing Mark’s Timeline Mutual friends are the people who are Facebook friends with both you and the person whose Timeline you’re viewing. Here is Facebook’s explanation of the Mutual Friends feature: (Hidden Friends Profile)/friends?and=second.profile(Public Friends Profile) The vulnerability exists in the “Mutual Friend” section, in the following URL: Since we last reported a vulnerability to Facebook regarding the Mutual Friends List privacy settings, it appears little has changed. The vulnerability allows attackers to discover, or more precisely, reconstruct the private Friends List of any Facebook user. Facebook Hidden Friends Vulnerability (With “fb-hfc – Facebook Hidden Friends Crawler” – released)
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |