Facebook Flaws Exposed Friend Lists, Payment Card Data
A researcher last year discovered some information disclosure vulnerabilities in Facebook that exposed users’ friend lists and partial payment card information. Web security consultant Josip Franjković had been analyzing the Facebook application for Android when he identified a flaw that allowed him to obtain any user’s list of friends via a specially crafted request. Facebook users can prevent others from seeing their friends, but the vulnerability discovered by Franjković could have been exploited to obtain this information regardless of the targeted user’s privacy settings. GraphQL queries can only be used for Facebook’s own applications—only whitelisted query IDs are allowed—and they require an access token. Franjković discovered that he could use the client token from the Facebook app for Android, and he could bypass the whitelist by sending a request containing a “doc_id” parameter instead of “query_id.” An attacker could have exploited the flaw to obtain partial payment card information by sending a query containing the targeted user’s ID and an access token that could have been taken from a Facebook app.