Yet another Facebook leak… 533M records!

Almost everyone on this planet, including their dog, cat, pet parrot and all other being is listed on Facebook (but this also means other social media, not at the scale how penetrative Facebook is).

Started off as a college fling tracking site, Facebook quickly outgrew its pubescent phase and matured as a global social media giant. This, as willing John Q. Public happily providing their personal data (and scary at times). Facebook quickly became an advertisement darling and a platform for marketing, social outreach and often information warfare battlegrounds (as seen recently during the last US presidential election campaigns.

In 2019, there were 2 breaches that affected Facebook. One in March/April and the other in September. The most recent one affecting 533M records (supposedly), was slated to be due to the September incident. However, a more detailed view reveals that the vulnerability may be lingering since 2012!

The March/April breach (which Facebook claimed has addressed) seem to have been due to its own API abuse. The Graph/Marketing API was seen abused, also attributed to the Cambridge Analytica debacle as well. Facebook stepped in to disable its “supposedly” harmful API to prevent further abuse, but not without receiving backlash to the extent of what Cambridge Analytica had caused damage.

Lucian Constantie, a senior writer for IDG News Service wrote on ComputerWorld (8 October 2012) that an independent researcher Suriya Prakash found a vulnerability via Facebook’s Mobile site. Facebook allows users to associate their contact list with existing Facebook users account. Facebook, earlier, had requested users to submit their mobile number in order to enable SMS based 2FA to protect their accounts. Now that Facebook has contact information, it also provided users an option to search for other users by specifying their number. To make it easier, a setting was introduced. In facebook, a user can head on to “Privacy Setting” > “How You Connect” > “Who can look you up using email address or phone number you provided” with the default setting of “Everyone” (!)

This means that even if you set your phone number visibility to “Me only” on your profile page, anyone who knows your number will be able to look you up unless if that setting was changed accordingly. Most people, unaware of this would leave the setting default, falling prey to this type of attack.

Suriya Prakash claimed that he shared the information with Facebook Security team in August and after an initial response on 31 August, his emails seemed to have ended up in /dev/null. A facebook representative responded and said that the rate of a user being found is at a restricted rate.

This became the actual issue which caused the most recent data breach for Facebook. Facebook however claimed that there were no hacking, and that this was just another scraping method. Scraping, is means of obtaining information crawling through the site. However, from my assessment, I find it more closer to an IDOR (Insecure Direct Objet Reference).

In a typical IDOR attack, the attacker simply enumerates the object, by incrementing the ID number. e.g. http://website/id=1

The ID value is incremented, revealing all other objects until the enumeration is complete. In this case, the ID happens to be the mobile number. The attacker created a phone book with ALL possible phone numbers, uploading to Facebook and referencing it against Facebook’s own database. Based on the numbers enumerated, one of the victim of this attack is Mark Zuckerberg himself, later identified having Signal app running on his phone (surprise, surprise!).