Facebook Hidden Friends Vulnerability (With “fb-hfc" released)

Facebook Hidden Friends Vulnerability (With “fb-hfc – Facebook Hidden Friends Crawler”  - released)

Since we last reported a vulnerability to Facebook regarding the Mutual Friends List privacy settings, it appears little has changed. The vulnerability allows attackers to discover, or more precisely, reconstruct the private Friends List of any Facebook user.

The vulnerability exists in the “Mutual Friend” section, in the following URL:
https://www.facebook.com/profile.name(Hidden Friends Profile)/friends?and=second.profile(Public Friends Profile)

Here is Facebook's explanation of the Mutual Friends feature:

Mutual friends are the people who are Facebook friends with both you and the person whose Timeline you’re viewing. For instance, if you’re friends with Chris, and Mark is friends with Chris, then Chris will be shown as a mutual friend when you’re viewing Mark’s Timeline

So if two Facebook members share the same friends, these friends will appear on the Mutual Friends list even if that member chose to keep the Friends List hidden (for no one else to see).

Let’s look at two Facebook members as an example:

The first one is Facebook  Founder and CEO Mark Zuckerberg (user #4) whose friend list privacy settings are switched on, and the second member is co-founder Chris Hughes (user number #5) whose friend list is public. 

So while the company's CEO prefers to keep his friends list hidden, Chris is OK with sharing his list with the public (you and me). Here's where it gets interesting - what if we wanted to see the friends both Chris and Mark share? No problem. Follow this link: 
https://www.facebook.com/zuck/friends?and=ChrisHughes

As we can see, Chris shares 61 mutual friends between with Mark (which of course means Mark has those 61 friends as well).

Official Facebook Response

Huh? Didn't Mark explicitly choose to keep his friends list hidden? Here's what Facebook had to say:

We do not consider this to be a privacy issue. We include this explanation alongside the friend list visibility setting: ‘Remember: Your friends control who can see their friendships on their own timelines. If people can see your friendship on another timeline, they’ll be able to see it in News Feed, search and other places on Facebook. They’ll also be able to see mutual friends on your timeline.’

Basically, Facebook is saying: "You can edit your privacy settings, but they're not really privacy settings". Couldn't Facebook just call this "Display Settings"? 

Attack Methodology

But I'm not an interface designer. My job is to figure out how attackers could access data they're not supposed to. So the next obvious step is to run a query that exposes Mark's entire friends list. Here's how I did it:

  1. A simple graph search gathers a list of potential friends for Mark based on a common feature. For the case of User#4 (Mark Zuckerberg), we want to find people that work at Facebook and live in United States.
     
  2. Create a list of all the related users who have their Friends List privacy settings configured as public. We'll call this the "Relate List"
     
  3. Run a "brute force" search to cross-reference with Mark's Friends List, using the Mutual Friends URL for each of the related users.
     
  4. Repeat the search for mutual friends, with the mutual friends accounts identified (in previous phase), whose Friends List is public.

Introducing “Facebook Hidden Friends Crawler” (fb-hfc)

To drive the point home, I wrote a POC tool that shows how such easy it is for anyone to hack your hidden friends list.

The tool automates the attack methodology described above (apart from the last recursive phase). It first creates a Related List of users, and in the second phase, searches through this list to find mutual friends, resulting in an output file with a complete friends list.

Here's a screen capture video of the entire process: