Facebook’s is always changing and its team is adding new functionality every couple of months. With new changes there are chances of affecting security and introducing vulnerabilities explains an information security company expert. This month search feature got a major upgrade and this tool will now let people exploit all posts on the friends and even people who are not your friends. Recently an exploit of new broken Facebook feature in Facebook search system was posted by a security investigator in his blog and has been reported to the Facebook team by security investigator named Atul. Although the vulnerability may look basics however it’s very effective in doing background check on people who are not your friends on Facebook.
You can easily exploit this vulnerability to get access to photos of people who are not your friends on Facebook. This might be interesting for people who want to check personal photos of their ex boyfriends or ex- girlfriends who are not their friends on Facebook anymore.
The below steps were taken from the security investigator blog and you can try this stuff with profiles of your ex girlfriends or ex boyfriends who are not your friend on Facebook anymore.
Synopsis: Access the private photographs of any target individual/profile, even if he/she is not your friend.
Browser used: Chrome, Mozilla
Steps to exploit:
1. Search a profile on Facebook, who is your target & not in your friend list. Also without any friend/groups in common.
2. Now to demonstrate this problem, I took profile of random individual. Imagine a scenario that I know a girl but still she is not my friend on Facebook.
3. She is not in my friend list nor do we have any thing in common.
4. To view public photos of “Target Profile Name”, I searched her name on the Facebook and fortunately I was able to find her profile on Facebook.
5. Now I went to see about her profile and found very little information.
6. Now I went to see her public photographs and I was able to see very few photos.
Exploiting the bug (or you can say Facebook feature)
7. Now to get more photos of target I search “Photos of Target profile” in the search panel of Facebook as shown in the image below.
Photos of xxxxx
8. I was able to access lot of photos of my target which were not visible earlier without being her friend.
9. I tried the same scenario on other unknown individuals (which are not my friend list), some very important people, even Facebook employees and I am able to access their photos, which were not visible directly. This works even if the target profile has implemented the Facebook privacy security settings. But by using the above method I am able to see lot of public photos of the profile which are not visible either by searching only profile name.
10. If the user has not allowed tagging on photos then the user might be secure from this exploit.
The above steps were taken from the security investigator blog and you can try this stuff with ex girlfriends or ex boyfriends who are not your friend on Facebook anymore. Also make sure that you use Facebook suggestive search otherwise this might not work. Also as per the security investigator this result might vary from browser, OS and mobile application version. So try this on different browser, OS, profiles and mobile application as you might get access to different and lot more photos.
Information security specialist, currently working as risk infrastructure specialist & investigator.
15 years of experience in risk and control process, security audit support, business continuity design and support, workgroup management and information security standards.