Vulnerability in Facebook Email feature

Posted: November 7, 2011 in Vulnerabilities


This time Facebook username feature is Vulnerable. After Facebook applications, now Facebook username feature can be used to do on Facebook profiles. Not only spam’s but this bug can be used to post illegitimate messages to Facebook users from their friends or either from unknown people without the consent of sender

Total Exposure : Knowledge of Facebook id and associated registered email address are the key elements to launch the exploit i.e., to postage of factitious messages on behalf of target user. Other than posting messages, spams are equally potential through this vulnerability.

Scenario:
To effectively launch the attack the minimum scenario consist on the following :

  • Target username of Facebook user1 (xxxx@facebook.com) and an email id of another Facebook user2 (any email,that used to register the facebook account).
  • To launch the attack an attacker can post fictitious private messages on behalf of target user2 to the target user1 via fake emails using a php script or online free fake mail services.

Update:
One year before we report this Vulnerability on blog and also to Facebook, But today we found that its still works 😛  , One new update added by ZeRtOx from a group called devitel that facebook will not show warning in yellow color if user 2 email id is of some uncommon domain, likeanything@anything.com . If user 2 email is of gmail, hotmail yahoo or another famous service then faceebook will also show a warning message in inbox of user 1.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s