Facebook Hidden Friends Vulnerability (With “fb-hfc – Facebook Hidden Friends Crawler” - released)
Lately I’ve reported a vulnerability to Facebook regarding a privacy issue I thought they should be aware of. The vulnerability allows attackers to discover (more precisely: reconstruct) the private Friends List of any Facebook user.
The vulnerability exists in the “Mutual Friend” section, in the following URL:
https://www.facebook.com/profile.name(Hidden Friends Profile)/friends?and=second.profile(Public Friends Profile)
Here is Facebook explanation about the Mutual Friends feature:
"Mutual friends are the people who are Facebook friends with both you and the person whose Timeline you're viewing. For instance, if you're friends with Chris, and Mark is friends with Chris, then Chris will be shown as a mutual friend when you're viewing Mark's Timeline".
So basically, if two users have mutual friends, these friends will be shown on Mutual Friends, even if one of them marked his\her Friend List as private (for no one else to see).
Let’s take two accounts for an example:
The first one will be user number #4 on Facebook (Mark Zuckerberg) that has friend list privacy on, the second user will be user number #5 on Facebook (Chris Hughes) that has public friend list, let’s compare by using the URL: https://www.facebook.com/zuck/friends?and=ChrisHughes
We can detect 61 mutual friends between the two profiles. That means that Mark has those 61 friends as well.
So if we follow Facebook's explanation above…" For instance, if you're friends with Chris, and Mark is friends with Chris, then Chris will be shown as a mutual friend when you're viewing Mark's Timeline". We can add "But what if Mark wants his friends list to remain private?"
When reported of this issue Facebook responded: “We do not consider this to be a privacy issue. We include this explanation alongside the friend list visibility setting: "Remember: Your friends control who can see their friendships on their own timelines. If people can see your friendship on another timeline, they'll be able to see it in News Feed, search and other places on Facebook. They'll also be able to see mutual friends on your timeline”
Which for me it’s like saying: “We have a mechanism named: “Edit Privacy” But guess what? You won’t get any privacy. Maybe Facebook needs to change this configuration item to “Edit Display“ or something like that, because this is actually what it is.
Let’s say that an attacker wants to get his hands on a certain user’s ("User X") hidden Friends List using the above vulnerability
· By using a simple graph search the attacker gathers a list of potential friends of User X, based on a common feature, for example, in the case of User#4(Mark Zuckerberg) : “People that work at Facebook and live in United States”
· The attacker then creates a list on all the related users that have their Friends List privacy configured as public ("Relate List").
· Now the attacker "brute forces" User X Friends List, by using the Mutual Friends URL with each of the related users.
· The attacker can now repeat the search for mutual friends, with the mutual friends accounts identified (in previous phase), whose Friends List is public.
Taking it to the next level, Releasing - “Facebook Hidden Friends Crawler” (fb-hfc)
I’ve decided to write a POC tool that will prove how bad this vulnerability could be for anyone who wants to keep his\her Friends list private.
The tool automates the attack methodology described above (apart from the last recursive phase). It first creates a Related List of users, and in the second phase, goes through this list to find mutual friends, and write them to an output file.
You can download the code from Github from the following link: