Shulou(Shulou.com)05/31 Report--

In this issue, the editor will bring you about how to obtain the accurate geographical location information of Facebook Marketplace sellers. The article is rich in content and analyzes and describes for you from a professional point of view. I hope you can get something after reading this article.

The writeup shared in this article is a user information disclosure vulnerability related to the Facebook Marketplace sales system, through which the specific geographic location information of the seller can be obtained, such as latitude and longitude and postcode. The vulnerability was reported with twists and turns and was accepted by Facebook again after being rejected. The following is the author's vulnerability discovery and sharing.

Introduction to Facebook Marketplace

Facebook Marketplace is a P2P (person-to-person) product auction and trading function launched by Facebook on the mobile side in October 2016, which allows users to buy and sell items on it.

Click the Marketplace button at the bottom of Facebook to enter the interface, where users can directly search for a product by product name, category, price and other categories, like an online mall. Facebook will automatically display the Facebook seller closest to the user, and display the seller's quotation and product information. After finding the desired product, the user can directly use Messenger to contact the seller. If you are a seller, you can also add goods, quotations, locations and other related information directly to the Marketplace. Unlike regular auction sites, its built-in location tool can adjust the area you are viewing or change to another city. Currently, Facebook Marketplace services are only available in some countries.

Discover the cause of the loophole

After Facebook Marketplace is launched, some sellers will sell some stolen goods on it, so I sometimes assist in investigating some stolen goods in Facebook Marketplace. In the process of analyzing the feasibility of its related recoverable technology, I found a loophole, which can be used to discover some sensitive data of sellers and obtain their precise geographic location including longitude and latitude.

Starting with the analysis of the auction sales page of the 7000 euro mountain bike I am going to sell, after testing, I found that the data information related to the geographical location in Facebook Marketplace is relatively specific. It is included in the advertisement returned by the sale goods, and the related response message is in JSON format, and the geographical location of the seller's goods can be set through Facebook Marketplace.

For this reason, I wonder why the geographic location of the product presented by Facebook Marketplace on the user's page is so simple. This seems to be worth delving into.

Deep analysis

So I logged in to the Facebook Marketplace app and set a random address for the 7000 euro mountain bike with the map location selection tool to see how it would react:

Oh, see, in the lower right corner, there is a small gray word, Facebook Marketplace claims that in order to protect the privacy of the seller, the location information is only the approximate location ("Location is approximate to protect the seller's privacy"), yo, not bad.

All right, log out of Facebook Marketplace to see what the location data is in this request package, and notice that I am an unauthorized normal user at this time. On the sales page, I enabled Chrome's browser network monitoring function. When I clicked on the relevant information about the mountain bike, I could see a lot of location information about the product in the network packet. After checking it, I found that Facebook's API-facebook.com/api/graphql leaked some geographic location information in response, as follows:

It unexpectedly contains the accurate geographic location information of the goods, including longitude and latitude data, city, country and zip code, as follows:

"location": {"latitude": 54.9942235, "longitude":-1.6041244, "reverse_geocode": {"city": "Newcastle upon Tyne", "state": "England", "postal_code": "}," reverse_geocode_detailed ": {" city ":" Newcastle upon Tyne "," state ":" England " "postal_code": "NE2 2DS"}}

Latitude and longitude!? Oh, that's enough! Open Google Maps, enter the latitude and longitude information to find, of course, I found the specific geographical location set in the background of the goods!

Because sellers seldom deliberately forge the actual geographical location of the goods sold, and this is accurate to the geographical location of meters and the leakage of city and postcode information, combined with the real name of the seller involved in the transaction process, malicious attackers or other people with ulterior motives can use it to accurately determine the specific address of the seller.

Is this a security breach or a problem?

Because the seller must indicate the exact personal location information during the product release process, and Facebook Marketplace claims that it will protect the privacy of users, it will blur the geographical location and display it to the visitors. Just like when I set the sales location of the mountain bike, after dragging the circle selected by the map, Facebook Marketplace indicates that it will only show the approximate location, of course, few sellers will deliberately forge this kind of geographic location information.

In addition, when I want to submit some specific geographic locations with Facebook Marketplace, there are no more accurate or closer locations to choose from in the location or address options provided by Facebook, even if I enter the full zip code or address.

Therefore, this is contradictory, so this can be regarded as a security issue.

Is this the expected behavior of Facebook?

I thought Facebook would randomly assign one of the locations from the map selection circle, or like some Web apps would capture the nearest approximate location. I also expect Facebook to display only the first three or four digits of the zip code. But in fact, when Facebook took steps to prevent the disclosure of this information, the blurred approximate location above appears to be the approach they took. But now when I try to add a sale to Facebook Marketplace, Facebook will even take a picture of a local park related to its location, which doesn't make any sense.

The above is the editor for you to share how to obtain the accurate geographic location information of Facebook Marketplace sellers, if you happen to have similar doubts, you might as well refer to the above analysis to understand. If you want to know more about it, you are welcome to follow the industry information channel.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.