Facebook bug exposed payment card details and friend lists

by Jake Doe - -

Web security consultant found Facebook vulnerability uncovering friend lists and credentials

Facebook vulnerability is already fixed

Facebook is one of the most widely used social media platforms on the Internet and a web security consultant, J. Franjkovic, has detected a massive vulnerability on October 6, 2017, which exposes friend lists despite the privacy settings of the user. It means that any hacker can circumvent the system and see all friends of any Facebook user.

Additionally, earlier, the researcher has also found a Facebook bug allowing to gain various details of payment cards used by people on the social networking platform. The vulnerability was discovered on February 23, 2017, and helped the researcher to receive the credentials of any user on Facebook.

Facebook flaw exposed the first six digits of the card which help identify the bank that has provided it[1]. Also, the security consultant managed to get the last four digits of the payment card, cardholder's first name, card type, ZIP code, country, expiry month and date as well. 

The researcher bypassed whitelisting mechanism

J. Franjkovic said that there is a way to disclose the friend list by using GraphQL[2] queries and the client's token[3] from Facebook-developed applications. The researcher managed to bypass whitelisting mechanism by using “doc_id” instead of “query_id” and the access_token from Facebook for Android app.

Once the whitelisting[4] mechanism was circumvented, J. Franjkovic sent GraphQL queries. While most of them revealed only the data which is already public, CSPlaygroundGraphQLFriendsQuery exposed the hidden friend list of any user on Facebook whose ID was included.

Similar to the latter bug, another one was also related to GraphQL and helped to obtain credit card details. The researcher also used user's ID from victim's Facebook account and the access_token which can be taken from the Facebook app for Android.

J. Franjkovic describes this Facebook vulnerability as a textbook example of an insecure direct object reference bug, also known as IDOR[5]:

This is a textbook example of an insecure direct object reference bug (IDOR).

Facebook fixed the bug within several hours

Facebook team's reaction to the report about the existing vulnerability surprised the web security consultant. The researcher received a response about the possibility to leak friend lists after less than a week, on October 12. IT experts have fixed the bug on October 14 and blocked the bypass of whitelisting mechanism on October 17, 2017.

While the response to the report about credit card information leak was received after less than 40 minutes and the vulnerability was eliminated after 4 hours and 13 minutes. 

Prevent websites, ISP, and other parties from tracking you

Private Internet Access is a VPN that can prevent your Internet Service Provider, the government, and third-parties from tracking your online and allow you to stay completely anonymous. The software provides dedicated servers for torrenting and streaming, ensuring optimal performance and not slowing you down. You can also bypass geo-restrictions and view such services as Netflix, BBC, Disney+, and other popular streaming services without limitations, regardless of where you are.

A VPN is also crucial when it comes to user privacy. Online trackers such as cookies can not only be used by social media platforms and other websites but also your Internet Service Provider and the government. Even if you apply the most secure settings via your web browser, you can still be tracked via apps that you are connected to the internet. Besides, privacy-focused browsers like Tor is are not an optimal choice due to diminished connection speed.

Therefore, to stay completely anonymous and prevent the ISP and the government from spying on you, you should employ Private Internet Access VPN. It will allow you to connect to the internet while being completely anonymous, prevent trackers, ads, as well as malicious content. Most importantly, you will prevent the illegal surveillance activities that NSA and other governmental institutions are performing behind your back.


Recover your lost files quickly

Unforeseen circumstances can happen at any time while using the computer: it can turn off due to a power cut, a Blue Screen of Death (BSoD) can occur, or random Windows updates can decide to reboot the machine when you went away for a few minutes. As a result, your schoolwork, important documents, and other data might be lost.

Additionally, you might also be attacked by malware that can corrupt your Windows or encrypt files with a robust encryption algorithm, and ask for a ransom in Bitcoin for the decryption tool. Cybercriminals might not deliver what they promised, however, so it is better to attempt alternative file recovery methods that could help you to retrieve at least some portion of the lost data.

Data recovery software is one of the options that could help you recover your files. Once you delete a file, it does not vanish into thin air – it remains on your system as long as no new data is written on top of it. Data Recovery Pro is recovery software that searchers for working copies of deleted files within your hard drive. By using the tool, you can prevent loss of valuable documents, school work, personal pictures, and other crucial files.

About the author
Jake Doe
Jake Doe - Computer technology geek

Jake Doe is a News Editor at Ugetfix. Since he met Ugnius Kiguolis in 2003, they both launched several projects that spread awareness about cybercrimes, malware, and other computer-related problems.

Contact Jake Doe
About the company Esolutions


Your opinion regarding Facebook bug exposed payment card details and friend lists