I have reported this simple control flow exploit to Facebook "Security" team but they didn't acknowledge that it's a bug or not. They did response first time to my report with the response, "It's not a bug". After that, I sent my explanation and POC videos but no response received after that. Anyway, I thought to post it online so that at least other users or readers can hide their private information.
There are actually two different things I would like to share. First one talks about how to see friend list of a few profiles and second one is about taking over facebook account of close friends.
See friend list of a person without even logging into Facebook
This happens for only a couple of profiles at my side. Security settings of these people might be different than that of other ones, I didn't investigate it further. Also facebook is smart enough to ask different security questions when you keep trying from the same machine but it starts from the same question when you try from different machine. Smart enough? =P
1) Anyway, all you need to do is to get a username of the victim user. You can get username of any user through their profile link. Click on any profile and extract it from facebook.com/<username> link.
2) Then on the main screen, click on 'Forgot your password?' and search for this username on the following page.
3) After clicking on Search button, you will a page like below. It might be a little different giving different options.
4) Click on 'No longer have access to these'. It will ask email address. Give any email address which is not linked to facebook yet and click on Continue button.
5) After you click on Continue button, you shall see a screen like below;
Click on 'Recover your account with help of your friends'. That's all you ever wanted. I have noticed that option of 'help from friends' is not shown for the same user if I repeat the steps again and again on the same machine. I am still not able to find out the correct reason why it's not shown on the same machine again but it could be one of the security measures facebook might have taken.
6) Now see the friend list of the victim user.
And if you are wondering what someone can do with the friend list, you might want to look into this post (my emphasis is only on importance of friend list) and secondly, had it not been private data, facebook would not have given the option to hide the friend list.
Interestingly, I can see only mutual friends from this user's timeline when I am logged in but when I am logged out, I can see other friends too.
Take over facebook account of your (close) friends
1) Follow above given steps up to 4 until you see the security question.
Typically, facebook asks 'In what city or town was your mother born?'. Knowing a person where he lives, it's not hard to guess the answer for this question. Particularly, if (s)he is your close friend or family relative and you want to harm him/her for any reason, facebook makes it easy for you. And if mother is already on the facebook, it's a bit more easy. Broadly speaking, you can call it a social engineering attack which facebook is not responsible for, but facebook should not let it happen so smoothly. I happened to guess it for my brother, just in case.
Once you answer the question successfully, you can reset the password. Though facebook provides 24 hour cushion to the victim, but what if the user is not so active on facebook. You get access to his/her account.
And the worst part is; you cannot change the answer for this question until you convince facebook that your account has been hacked and you go through re-identification process. That means, after you get your hacked account back, I can answer the same security question again and reset the password again. There was some conversation here around four months ago but I guess, facebook didn't bother to listen to them.
A few of the other questions are:
What's street name where you lived when you were 8 years old?
What's your pet name?
Typically most of the users answer these questions honestly, just in case if they have to reset the password, they can easily remember it. But every friend of your neighbors might also know this thing and I am sure, you don't want them to take over your account. Anyway, you got my point.
Happy facebooking =)
P.S. I might post my facebook email communication to show how much facebook is "concerned" about privacy of its users. And I have a few POC videos for both sub-posts too.
Update-1::
I did receive a response for the first issue after a few days of posting this article. They said that it's not a bug and they are pretty confident that they will show friendlist only to the people who have logged into a computer many times before.
And for second issue, they have not responded yet. No ticket number was assigned to the bug report, so I don't know how to ask them about any update on the same issue.
Update-2::
It's interesting that someone gave a talk on the same issue at Hack In The Box conference.
Update-1::
I did receive a response for the first issue after a few days of posting this article. They said that it's not a bug and they are pretty confident that they will show friendlist only to the people who have logged into a computer many times before.
And for second issue, they have not responded yet. No ticket number was assigned to the bug report, so I don't know how to ask them about any update on the same issue.
Update-2::
It's interesting that someone gave a talk on the same issue at Hack In The Box conference.