Shulou(Shulou.com)05/31 Report--

How to get the private friend list of Facebook users, this article introduces the corresponding analysis and answer in detail, hoping to help more partners who want to solve this problem to find a more simple and easy way.

The disclosure of user information may occur when data theft or unauthorized access occurs in organizations with personal information. Generally speaking, this is a security incident that can cause sensitive and protected confidential data to be widely circulated, analyzed or maliciously exploited. The vulnerability writeup shared in this article can indirectly obtain the list of private friends of the Facebook user by knowing the registered email address or mobile phone number of the user, and then infer a general social relationship graph of the user.

According to the instructions on the Facebook help page, the "people you might know" (People You May Know) feature helps Facebook users find more acquaintances, and the relationship between you and them is based on the following factors:

1. You have a mutual friend or mutual friend relationship, which is the most fundamental reason for the establishment of this possible cognitive relationship.

two。 You are in the same Facebook group or have been tagged in the same photo.

3. In addition, you have logged in to your Facebook account through the same network exit (school, unit).

Privacy settings for Facebook friend list

By default, Facebook users' friend list is public, and of course, Facebook also sets three different privacy options for this friend list: custom settings such as public, friend-visible and self-visible, as described on the Facebook help page.

Loophole discovery

The loophole found by the author here is as follows: first, during the user registration phase, a malicious attacker can first enter the mobile phone number of the target victim as the mobile phone number for registration confirmation, as follows:

After that, Facebook will send an SMS verification code to the mobile phone number and ask to enter the verification code in the confirmation interface, as follows:

Of course, the malicious attacker must not know the text message of the target victim, let alone the SMS verification code. Therefore, here the attacker can click the "Update Contact info" button that appears in the interface, and enter the attacker's own email address hack@rajsek.com in the new mobile phone number or new email address add column that pops up, as follows:

Next, the attacker will receive a CAPTCHA email from Facebook in his own mailbox hack@rajsek.com, fill in the CAPTCHA in the previous confirmation interface, and select "Continue". Facebook then prompts that the account is bound to hack@rajsek.com and requires the attacker to log in with mailbox hack@rajsek.com as login credentials:

Now, let's go to the following link:

Https://www.facebook.com/friends/requests/?fcref=swpsa

This link is "people you might know" URL, or directly use curl to grab the following link requests:

Curl 'https://www.facebook.com/gettingstarted/?step=friend_requests'-H' authority: www.facebook.com'-H 'referer: https://www.facebook.com/gettingstarted/'-H' cookie: xxxx'-compressed

Here, the list of "people you might know" pushed by Facebook to a malicious attacker is the list of friends of the target victim, as follows:

The whole process can be viewed in the following PoC video, in which the author uses the target victim's email as the registrant's information and his mobile phone number as the contact update information, and eventually, in this way, the target victim's friend list can also be obtained.

This vulnerability can be exploited by some malicious users or attackers to indirectly determine the social relationship graph of the target victim. The premise is that you only need to know the email address or mobile phone number of the target victim when signing up for Facebook, which can be obtained through social workers or the aforementioned friendship building basis.

This is the answer to the question about how to obtain the private friend list of Facebook users. I hope the above content can be of some help to you. If you still have a lot of doubts to be solved, you can follow the industry information channel for more related knowledge.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.