The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
# Facebook Friends private information disclosure
# *Vendor*: www.facebook.com
# Author: Juan Carlos Garca (NightSec) / Javier Garca Garca (NapsTeR-vk)
# Blog: http://hackingmadrid.blogspot.com
# Facebook http://www.facebook.com/pages/ETHICAL-HACKING-Y-OL%C3%89-by-the-Face-WhiteHat/172393869485449?sk=app_190322544333196
**********************
BREIF DESCRIPTION
**********************
The advent of the Web 2.0 has caused social profiling and is a growing concern for internet privacy.[1] Web 2.0 is the system that facilitates participatory information sharing and collaboration on the Internet, in social networking media websites like Facebook and MySpace.[1] These social networking sites have seen a boom in their popularity starting from the late 2000s. Through these websites many people are giving their personal information out on the internet.
These social networks keep track of all interactions used on their sites and save them for later use.[2] Issues include cyberstalking, location disclosure, social profiling, 3rd party personal information disclosure, and government use of social network websites in investigations without the safeguard of a search warrant.
Facebook has been scrutinized for a variety of privacy concerns due to changes in its privacy settings on the site generally over time as well as privacy concerns within Facebook applications. When Facebook first began in 2004, it was focused on universities and only those with .edu address could open an account. Furthermore, only those within your own university network could see your page. Some argue that initial users were much more willing to share private information for these reasons. As time went on, Facebook became more public allowing those outside universities, and furthermore, those without a specific network, to join and see pages of those in networks that were not their own. In 2006 Facebook introduced the News Feed, a feature that would highlight recent friend activity. By 2009, Facebook made more and more information public by default. For example, in December of 2009, Facebook drastically changed its privacy policies, allowing users to see each others lists of friends, even if users had
previously indicated they wanted to keep these lists private. Also, the new settings made photos publicly available by default, often without users knowledge.
**************
**************
Friends Private Information Disclosure
*********************************************
Facebook offers the option to see the friendship between your profile and that of another person, whether that person is not your friend or your friend, but by default anyone should be able to access the relationship between two people who do not know.
You can access anyone existing profile on Facebook and see the friendship between the two people and also being able to "SHARE" and make public their friendship though these people have established in the Facebook privacy settings that this option is not visible.
Apart from this disclosure of private information about the relationships of people who do not know and do not have on your profile, can be used to make jokes among minors, harassment and other acts not legitimate.
**************
Proof Of Concept (PoC)
https://www.facebook.com/usuario1?and=usuario2
User1:RAFAMORATETE Rafael Mora Celebrities in Spain
User2: ADMIN.CANGREJOS ( I am ...)
https://www.facebook.com/RAFAMORATETE?and=ADMIN.CANGREJOS
User1:RAFAMORATETE ------------------->Rafael Mora Celebrities in Spain
User 2:karmele.marchantebarrobes------>Karmele Marchante Celebrities in Spain and tabloid journalist well known. They hate each other publicly.
https://www.facebook.com/RAFAMORATETE?and=karmele.marchantebarrobes
As you can see we can access the friendship between them, but even more, we can share that friendship even though they have not
Ultimately occurs again on Facebook a security flaw for which a malicious user can see other people's private information, the relationship between them and / or share this relationship can be used by people with no good purpose (The same as Bill Gates and Facebook CEO for example ...)
******************
Give special thanks to all the people who follow me on Ethical Hacking and Ole by the Face .. Thanks guys
******************
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum