Getting any Facebook user's friend list and partial payment card details

Getting any Facebook user's friend list and partial payment card details(josipfranjkovic.com)

416 points by franjkovic 8 years ago | 91 comments

tannerc 8 years ago |

Important last-line: "It took Facebook's team 4 hours and 13 minutes to fix the issue - the fastest report-to-fix for me."

bostik 8 years ago | |

There's an important unstated property too, btw. OP reported an information disclosure bug in payment handling code. A bug in the core logic of what literally brings money in.

That kind of bug report is bound to get a very quick triage, followed by a very quick escalation.

But yes, even with that in mind: a 4-hour turnaround is damn impressive.

jomkr 8 years ago | | |

I work at one of the other Big4 and to be honest it's not that impressive. This kind of report would be a high severity ticket, the person on-call for the given team would get paged, and wouldn't stop working/escalating until it got fixed.

Obviously not all companies behave this way, but they should!

cheeze 8 years ago | |

Wow. That is extremely impressive that such a large company is able to get a fix out that quickly.

wolco 8 years ago | | |

The fix is probably 10 minutes but the deployment process, intake process and notification process took 3 1/2 hours

aje403 8 years ago | | |

If it took much longer than that for bugs like this, all of the HN doomsday posts about the Facebook mass exodus might actually come true

user5994461 8 years ago | | |

It's a trivial bug. If the parameter is invalid, return nothing, rather than return all the credit cards.

I'd be worried if any company is not able to understand the problem and publish a patch in a few hours.

yashap 8 years ago | |

Agreed! Security bugs are going to happen in any sufficiently large piece of software (that wasn’t written by djb). The important thing is to work hard towards minimizing them, and fixing them quickly once found - seems to me Facebook does a good job on both of these points.

chirau 8 years ago | | |

Who is djb?

johnchristopher 8 years ago | |

Thinking now about that line I heard from a consultant a month ago: "Facebook got 20 lawyer firms hired to check if the 30 lawyers firm they hired first did their job well regarding the GDPR".

Did they notify users whose data were compromised ?

jpollock 8 years ago | |

That's because you should never have first 6 and last 4 in the same place at the same time, particularly to someone who is not the owner of the card!

That leaves only 6 digits to guess to obtain a valid card, and you're given the check digit to limit the search further.

packetized 8 years ago | | |

First six and last four are the limits for display set out by the PCI Security Standards Council. The things you should never store with the PAN are the PIN/PIN block or CVC/CVV.

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storag...

asdfjklas 8 years ago | | |

Neither first six nor last four are considered PCI sensitive data. Not saying they should be randomly displayed, but in the context of many fintech apps they will be displayed together.

pinkythepig 8 years ago | | |

First 6 is shared across the cards a particular bank issues. Its not a secret as you can google the first 6 to find the bank or even the reverse google the bank to see what BINs they use. Last 4 is intended to be human visible so people can identify the card in use. When you factor in the check digit ruling out 90% of the remaining combinations, there are still 10,000 valid cc combinations plus an expiration date you would have to guess just to get a single acct.

jpollock 8 years ago | | |

More details as an explanation.

Facebook was providing:

  Cardholder Name
  First 6
  Last 4
  Expiry Date
  Billing Address.

The only bits missing were CVV and the middle 6.

Yes, first 6 and last 4 are not considered sensitive for PCI compliance. However, like most security standards, the standard is a minimum, not what your target should be.

Given the ability for attackers to quickly guess CVV and the remaining digits[1], the attack becomes a numbers game. They don't care about _a_ card, they care about _any_ card.

This is why Visa and MasterCard are pushing to tokenize all cards - so the stored information is linked to the merchant storing it and can't be reused.

That's even before we take into account the account take over possibilities since those card details are used by other companies as verification for account recovery[2]. Yes, those vulnerabilities were closed, but that doesn't stop new companies from making the same mistakes.

Yes, it's impressive that they managed to prune the fields so quickly. Shows a very efficient escalation path!

[1] https://www.theregister.co.uk/2016/12/05/undetectable_sixsec...

[2] https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

philipodonnell 8 years ago | | |

Random question I've never found a place to ask before. Is there a formal language or method for specifying information like this, where I could map out different pieces of data and reason about how the pieces of data flow through a system, to prove mathematically that two (or n) pieces of data are never available in the same place?

tehlike 8 years ago | | |

You should vs human nature. We introduce bugs. Please don't be cynical, and cheer this up.

Kudos to facebook team that they responded shortly, I cannot tell if it was work hours or not, but either way, this is very very short in the context of large corporations.

tintor 8 years ago | |

".. Facebook's team .."

Most likely a single dedicated person at FB.

gambiting 8 years ago | | |

I guess it's cultural, but I have observed many times that especially in America, there is a lot of emphasis on individualism - the cult of the person and their own achievements is placed above all else.

Even if the fix was done by one "dedicated employee" , they still belong to a team of people working together. I feel like singling out one person like this is almost rude to the rest of the team.

sigsegv0xb 8 years ago | | |

Do you mean that FB only has one single dedicated person looking at Whitehat tickets or that a single developer made the fix?

sneak 8 years ago | | |

Who sometimes has a day off, or takes a vacation, or has an illness, so you’re looking at a minimum of 3 persons...

zitterbewegung 8 years ago | | |

They have a dedicated Bug report team that sifts through the nonsense so it can't just be one person..

stormbrew 8 years ago |

Wait, why would facebook have CC info? I have never paid facebook for anything (except in terms of ad views), and I'm not even sure what I could pay them for? Posting ads I guess? But that's gonna be not a lot of people.

So if somehow their graph api has pulled up my credit card number into their database, that's the disturbing thing...

kfrzcode 8 years ago | |

> Posting ads

Advertisement is Facebook's #1 revenue model, its literally why they exist. I wish everyone who's used FB would sign up for a business page and place an ad; it's illuminating to see just how detailed their tools are.

Same with Google PPC and Bing etc etc.

I shudder to think at just how detailed the profiles are that FB, AMZN et al keep on each of its users.

jlarocco 8 years ago | | |

> Advertisement is Facebook's #1 revenue model, its literally why they exist.

It's how they exist, not why.

I do agree that their data collection is very creepy.

dave5104 8 years ago | |

They offer a cash transfer service via Messenger (similar to Apple Pay Cash or Snap Cash where you hand over a debit card and then you can send money to friends).

I believe they also used to have a system (maybe they still do?) where you could buy "Facebook Credits" to use on Facebook platform games, essentially microtransactions.

pbhjpbhj 8 years ago | | |

They also used to have a thing where you could buy, with real money IIRC, little icons for your "friends"; quite some time back I think.

tjbiddle 8 years ago | |

They've had previous monetization methods, as well as submitting donations, sending cash to friends, paying for advertising, etc.

amasad 8 years ago |

I wonder what the `CSPlaygroundGraphQLFriendsQuery` query is meant for. It sounds like some testing/development thing.

wongmjane 8 years ago | |

`CS` in this context stands for ComponentScript. It appears to have something to do with React Native.

`CSPlaygroundGraphQLFriendsQuery` is a demonstration for Facebook engineers internally to show how to display a list of "oneself's friends with auto-pagination" using GraphQL and ComponentScript inside their Facebook main app

P.S. I don't work at Facebook. But this is something I stumbled across their app.

amasad 8 years ago | | |

Like the demo was released and accessible in the app? Or did you see it in the RN JS code?

dirkdk 8 years ago |

What bounty did he receive for filing this?

sp332 8 years ago |

I thought Facebook considered the Friends list to be public? They removed the ability to hide the list years ago.

hooksfordays 8 years ago | |

No, I can still hide my friend’s list. Settings > Privacy > “Who can see your friends list?”

zaidf 8 years ago | |

Friend List can be made private through your privacy settings.