|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
Quote:
http://www.theregister.co.uk/2010/08/11/facebook_name_extraction_bug/
Facebook bug spills name and pic for all 500 million users
A bug in Facebook's login system allows attackers to match unknown email addresses with users' first and last names, even when they've configured their accounts to make that information private.
The information leak can be exploited by social-engineering scammers, phishers, or anyone who has ever been curious about the person behind an anonymous email message. If the address belongs to any one of the 500 million active users on Facebook, the social-networking site will return the full name and picture associated with the account.
"Facebook users have no control over this, as this works even when you have set all privacy settings properly," Atul Agarwal of Secfence Technologies wrote Wednesday on the Full-disclosure security listserve. "Harvesting this data is very easy, as it can be easily bypassed by using a bunch of proxies."
Exploiting the vulnerability is as easy as entering the email address into the Facebook sign-on page, typing a random password and hitting enter. To streamline the attack, Agarwal has written a PHP script that works with large lists of email addresses.
Over the past few years, Facebook has come under criticism for revealing too much information about its users. The data — which can include users' birthdays, home towns and personal friends — can then be used by marketers, stalkers, and other ne'er-do-wells to invade the users' privacy. The social-networking site has responded by giving users more control over who gets to see select pieces of user information.
Evidently, the name-to–email address extraction bug has been overlooked. We wouldn't be surprised to see this fixed in short order. ®
Link to Original Post and Exploit finding on Seclist.org below
http://seclists.org/fulldisclosure/2010/Aug/130
Quote:
This script extracts the First and Last Name (provided by the users when
they sign up for Facebook). Facebook is kind enough to return the name even
if the supplied email/password combination is wrong. Further more,it also
gives out the profile picture (this script does not harvest it, but its easy
to add that too). Facebook users have no control over this, as this works
even when you have set all privacy settings properly. Harvesting this data
is very easy, as it can be easily bypassed by using a bunch of proxies. - Atul Agarwal - Secfence Technologies
http://seclists.org/fulldisclosure/2010/Aug/130
Ouch....Facebook owned hard on this one...all your user details can be gotten with just an email address....Looks like the bots will be spamming Facebook with Email Addresses harvesting as much as they can...joy....
i hope Facebook fixes this quick....
|
|
|
|
|
Joined: Sep 2006
Posts: 28,348
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,348 |
no need to attempt to harvest, 100 million+ accounts have already been retrieved and a torrent is available of all 1.2GB of data.
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
I heard about that Prp, figures eh?
I just wanted folks to be aware. I know how popular Facebook is so I hope they fix this problem soon.
|
|
|
|
|
Joined: Feb 2007
Posts: 4,753
Hall of Famer
|
|
Hall of Famer
Joined: Feb 2007
Posts: 4,753 |
Funny this was posted today. Last night I went to log into FB, but used my work login instead and some other guy's name and picture showed up. Didn't even think of it, other than starting over and typing in the correct credentials.
|
|
|
|
|
Joined: Sep 2006
Posts: 43,533
Legend
|
|
Legend
Joined: Sep 2006
Posts: 43,533 |
Quote:
no need to attempt to harvest, 100 million+ accounts have already been retrieved and a torrent is available of all 1.2GB of data.
the last couple of days, I've received several requests to allow folks to be my friend.. But I have no idea who they are and mutual friends aren't listed.
Oddly enough, all were women with relatively sexy pictures (not revealing, just sexy)
I've denied them access because it sounded fishy, is this kinda what's happening?
I even had a friend request from someone named Tawny something.. it slipped past me and she or it has been posting links on my facebook page...
damn
#GMSTRONG
“Everyone is entitled to his own opinion, but not to his own facts.”
Daniel Patrick Moynahan
"Alternative facts hurt us all. Think before you blindly believe."
Damanshot
|
|
|
|
|
Joined: Sep 2006
Posts: 28,348
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,348 |
I wouldn't be surprised if that isn't a result of it.
XXX sites, spammers and virus writers could download the profiles and search them for specific demographics (male, 18-55, etc...) and target them.
I've gotten a number of those invites recently as well, but I've received them as long ago as a year or more, too. They may or may not want you to actually friend them, but they definitely want you to click the link to "view their pictures", which almost certainly is a link to a page crafted to steal information or infect your computer.
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Sep 2006
Posts: 43,533
Legend
|
|
Legend
Joined: Sep 2006
Posts: 43,533 |
That's very odd to me.. I am not the type that visits pornsites so I'm assuming you don't have to visit such sites to get hit by those kind of solititations.
Purp, you know I'm not an IT guru.. ha,, not even close really.. so this may seem like a very stupid question, but is phishing done only to retrieve information that can be used to scam someone out of money? are there other reasons to scam?
I ask that because when I look at some of the things I"ve read about,, I can't understand how it will result in any financial benefit.
#GMSTRONG
“Everyone is entitled to his own opinion, but not to his own facts.”
Daniel Patrick Moynahan
"Alternative facts hurt us all. Think before you blindly believe."
Damanshot
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
It amazes me how many friend I have that have their email, telephone, cell, and home address in their profile info.
If someone needs that info, they can message me on my facebook, no reason to put my personal email address in my profile.
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Nov 2006
Posts: 4,173
Hall of Famer
|
|
Hall of Famer
Joined: Nov 2006
Posts: 4,173 |
Quote:
I wouldn't be surprised if that isn't a result of it.
XXX sites, spammers and virus writers could download the profiles and search them for specific demographics (male, 18-55, etc...) and target them.
I've gotten a number of those invites recently as well, but I've received them as long ago as a year or more, too. They may or may not want you to actually friend them, but they definitely want you to click the link to "view their pictures", which almost certainly is a link to a page crafted to steal information or infect your computer.
Man, I haven't got any of those invites. I must be so ugly that they won't go near me. 
|
|
|
|
|
Joined: Sep 2006
Posts: 8,704
Hall of Famer
|
|
Hall of Famer
Joined: Sep 2006
Posts: 8,704 |
Quote:
It amazes me how many friend I have that have their email, telephone, cell, and home address in their profile info.
I've accidentally called like 3 people who have never given me their number lol.
My phone is linked to Facebook, so if your profile has your number on it, your number is automatically in my phone.
It's kind of embarrassing to call someone who has never given you their number 
|
|
|
|
|
Joined: Jul 2007
Posts: 1,426
Dawg Talker
|
|
Dawg Talker
Joined: Jul 2007
Posts: 1,426 |
Quote:
the last couple of days, I've received several requests to allow folks to be my friend.. But I have no idea who they are and mutual friends aren't listed.
Oddly enough, all were women with relatively sexy pictures (not revealing, just sexy)
I've denied them access because it sounded fishy, is this kinda what's happening?
I even had a friend request from someone named Tawny something.. it slipped past me and she or it has been posting links on my facebook page...
damn
I've gotten 10-15 friend requests over the past several months all from women in revealing photos or poses. I've tried adjusting my security settings but that doesn't seem to be helping.
Just last week a woman claiming to be a police officer from Wisconsin sent me a private message on facebook saying she found my wallet and asked if I could come and retrieve it. Too bad I've never been to Wisconsin. 
|
|
|
|
|
Joined: Oct 2006
Posts: 13,882
Legend
|
|
Legend
Joined: Oct 2006
Posts: 13,882 |
Ouch.
Good thing I never signed up for Facebook (even though most of my family has). And I'm the only techie guy in the group. Go figure.
![[Linked Image]](http://www.dawgtalkers.net/uploads/Punchsmack/punch.gif) “...Iguodala to Curry, back to Iguodala, up for the layup! Oh! Blocked by James! LeBron James with the rejection!”
|
|
|
|
|
Joined: Sep 2006
Posts: 50,867
Legend
|
|
Legend
Joined: Sep 2006
Posts: 50,867 |
I get dozens of facebook friends requests ..... most of whom I don't know by name. (and I am probably one of the least active facebook people around)
I do wish that people would include their MB names if they do a friends request as a result of kowing someone else on the boards. (Not that I even log onto facebook more than once a month anyway ......)
I have received some from people I knew in passing in high school. Wouldn't it be nice if people would just include a "I went to school with you 30 years ago" with a request?
How about if they said "I'm a friend of a friend of yours" ......
I am sure that I have blocked some legitimate friends requests over the past 2 months or so ...... but if I don't know the person. I'm not adding them.
Micah 6:8; He has shown you, O mortal, what is good. And what does the Lord require of you? To act justly and to love mercy, and to walk humbly with your God.
John 14:19 Jesus said: Because I live, you also will live.
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
If I request someone I haven't seen or talked to in a long time I always include a personal message of how I know them.
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 43,533
Legend
|
|
Legend
Joined: Sep 2006
Posts: 43,533 |
Quote:
If I request someone I haven't seen or talked to in a long time I always include a personal message of how I know them.
That's what I do also,,, that way there is no confusion...
#GMSTRONG
“Everyone is entitled to his own opinion, but not to his own facts.”
Daniel Patrick Moynahan
"Alternative facts hurt us all. Think before you blindly believe."
Damanshot
|
|
|
|
|
Joined: Nov 2006
Posts: 4,173
Hall of Famer
|
|
Hall of Famer
Joined: Nov 2006
Posts: 4,173 |
Yep, every person on my friends list is someone I know, all 4 of them. 
|
|
|
|
|
Joined: Sep 2006
Posts: 8,704
Hall of Famer
|
|
Hall of Famer
Joined: Sep 2006
Posts: 8,704 |
I know every single person on my friends list, too.
I know some people who have like 1,200 friends, and you know there's no way they actually know that many people lol.
|
|
|
|
|
Joined: Oct 2006
Posts: 17,850
Legend
|
|
Legend
Joined: Oct 2006
Posts: 17,850 |
I don't do facebook because I don't need a computer screen telling me how few friends I have. If I want to know, I can count them up on my fingers 
#gmstrong
|
|
|
|
|
Joined: Sep 2006
Posts: 28,348
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,348 |
Quote:
That's very odd to me.. I am not the type that visits pornsites so I'm assuming you don't have to visit such sites to get hit by those kind of solititations.
You don't need to, you fit a demographic in some fashion, thus you get targetted.
Quote:
Purp, you know I'm not an IT guru.. ha,, not even close really.. so this may seem like a very stupid question, but is phishing done only to retrieve information that can be used to scam someone out of money? are there other reasons to scam?
I ask that because when I look at some of the things I"ve read about,, I can't understand how it will result in any financial benefit.
It could be anything.... they could be trying to infect your machine, they could be trying to gather information, etc... no way of knowing. As for how to make money with it: information can be sold, identity theft is a real possibility, if they can infect your machine and your banking info is on there, they may be able to access account numbers, etc... or, perhaps they just want to add your machine to a network of zombies to later be used to spam people. It could be so many different things that it is impossible to tell.
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Sep 2006
Posts: 43,533
Legend
|
|
Legend
Joined: Sep 2006
Posts: 43,533 |
There are times that I receive emails from myself.. Meaning, I get an email at my business email address and it's FROM ME.. only I didn't send it.
#GMSTRONG
“Everyone is entitled to his own opinion, but not to his own facts.”
Daniel Patrick Moynahan
"Alternative facts hurt us all. Think before you blindly believe."
Damanshot
|
|
|
|
|
Joined: Oct 2006
Posts: 17,850
Legend
|
|
Legend
Joined: Oct 2006
Posts: 17,850 |
Quote:
There are times that I receive emails from myself.. Meaning, I get an email at my business email address and it's FROM ME.. only I didn't send it.
it's called multiple personality syndrome 
#gmstrong
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
It's called address spoofing and is the biggest PITA for me here. I can filter our most spam emails, but the spoofed ones become harder to filter. So I have the filter send out a report every 4 hours during the workday to the users for them to review for legit emails form the "possible spam" folder.
if they find a legit email in the list, they can clear it for deliver and the pass the filter in the future.
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 27,779
Legend
|
|
Legend
Joined: Sep 2006
Posts: 27,779 |
Quote:
I do wish that people would include their MB names if they do a friends request as a result of kowing someone else on the boards. (Not that I even log onto facebook more than once a month anyway ......)
Hey it's me GM... oh wait your already on my face book. Never mind
I AM ALWAYS RIGHT... except when I am wrong.
|
|
|
|
|
Joined: Jul 2007
Posts: 3,960
Hall of Famer
|
|
Hall of Famer
Joined: Jul 2007
Posts: 3,960 |
http://m.cnn.com/primary/_9fy5f6-iUs8lPQSoQSo facebook has this new app that let's friends know where there phone is. So if you go to applebees on main street, your status is updated to "John smith" has checked into applebees, main street. Brilliant. Now they need an app that let's people know where your spare house key s, or maybe your bank pin 
President - Fort Collins Browns Backers
|
|
|
|
|
Joined: Sep 2006
Posts: 3,044
Hall of Famer
|
|
OP
Hall of Famer
Joined: Sep 2006
Posts: 3,044 |
Quote:
It's called address spoofing and is the biggest PITA for me here. I can filter our most spam emails, but the spoofed ones become harder to filter. So I have the filter send out a report every 4 hours during the workday to the users for them to review for legit emails form the "possible spam" folder.
if they find a legit email in the list, they can clear it for deliver and the pass the filter in the future.
I feel you
I have found the best solution to dealing with spam emails is to put a box between your mail server and your clients (Untangle is great) and install spamassassin and virus scanner (Based on clam antivirus) 100% free and open source...
those 2 apps will catch 9 out of 10 spam.spoofed domain emails and your users will never see them...spamAssassin will even add [SPAM] to the subject of the email it doesn't get any easier.
Clam Av is bar none the best mail scanner on the planet...its what it was designed for...as of right now it has over 817,057 signs...its is very good at catching phishing emails and spoofed domains...it may be the only AV that has such signatures...it actually scans the entire email its self including the links it in its...its very nice...
Untangle has a report app, it will spit out a report app once a day, and it even has a quarantine where you can set up messages that are flagged to be quarantined until you check them and ensure they are safe or bad..if their bad your end users will never see them.
for example I have mine set up where...ANY email that has a file attachment gets held in the que until I review it...i'll usually toss the file up via SSL to virustotal.com and it gets scanned with pretty much every antivirus software on the market with the latest defs and results shown...its usually a got indication if the file is safe or not...i treat every file attachment like the plague until i am sure its safe..
however Untangle/Debian used for this purpose the config options are pretty much unlimited and you can set it up however you want...you can even have clam clean infections from the emails on the fly and deliver the harmless message.
it also has a Phising protection modules that also checks your emails against Google Safe Browsing in real-time and all modules updates every hour automatically....
this app has saved me a ton of time and gave me a good bit piece of mind...
for example...Untangle and clam was detecting Conficker 3 days before Syamntec was....
I would say it stops over 2000+ spam and 250+ spoofed/phising emails per week...big time saver
check it out
Untangle.com
Also you can tune SpamAssassin by scores of how high the score of a mail is in evaluation beofre it is ranked spam...
SpamAssassin + Clam Antivirus + Google Safe Browsing is pretty much golden...
|
|
|
|
|
Joined: Sep 2006
Posts: 13,727
Legend
|
|
Legend
Joined: Sep 2006
Posts: 13,727 |
Quote:
I don't do facebook because I don't need a computer screen telling me how few friends I have. If I want to know, I can count them up on my fingers
I don't mean to criticize those who Facebook, but I have no interest. Zero.
If I want to tell somebody something, I call them on the telephone, or sometimes I email them ( I don't care about Tweets, either and truly don't give a damn about texting. I know it's a younger person's thing and that's cool - whatever floats your boat but it's not for me. Email is about as far as I go hahaha).
I saw this commercial the other night aimed for college kids, and a girl standing in line at a movie asks to use her male friend's little Blackberry or whatever the hell because she wanted to "update my Facebook" and I thought 'wow, is she serious???'
![[Linked Image from i28.photobucket.com]](http://i28.photobucket.com/albums/c201/shadedog/mcenroe2.jpg) gmstrong -----------------
|
|
|
|
|
Joined: Sep 2006
Posts: 28,348
Legend
|
|
Legend
Joined: Sep 2006
Posts: 28,348 |
Quote:
http://m.cnn.com/primary/_9fy5f6-iUs8lPQSoQ
So facebook has this new app that let's friends know where there phone is. So if you go to applebees on main street, your status is updated to "John smith" has checked into applebees, main street. Brilliant.
Now they need an app that let's people know where your spare house key s, or maybe your bank pin
Stop posting Mobile links...
Browns is the Browns
... there goes Joe Thomas, the best there ever was in this game.
|
|
|
|
|
Joined: Jul 2007
Posts: 3,960
Hall of Famer
|
|
Hall of Famer
Joined: Jul 2007
Posts: 3,960 |
www.whatsthemagicword.com Didn't realize that's how they came across
President - Fort Collins Browns Backers
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
Quote:
http://m.cnn.com/primary/_9fy5f6-iUs8lPQSoQ
So facebook has this new app that let's friends know where there phone is. So if you go to applebees on main street, your status is updated to "John smith" has checked into applebees, main street. Brilliant.
Now they need an app that let's people know where your spare house key s, or maybe your bank pin
So basically it is Google latitude for Facebook?
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 2,758
Dawg Talker
|
|
Dawg Talker
Joined: Sep 2006
Posts: 2,758 |
![[Linked Image from i.imgur.com]](http://i.imgur.com/FUKyw.png) "Don't be burdened by regrets or make your failures an obsession or become embittered or possessed by ruined hopes"
|
|
|
|
|
Joined: Sep 2006
Posts: 50,867
Legend
|
|
Legend
Joined: Sep 2006
Posts: 50,867 |
Quote:
www.whatsthemagicword.com
Didn't realize that's how they came across
Hmmm .... dunno.
"You must login to view this site." 
Micah 6:8; He has shown you, O mortal, what is good. And what does the Lord require of you? To act justly and to love mercy, and to walk humbly with your God.
John 14:19 Jesus said: Because I live, you also will live.
|
|
|
|
|
Joined: Sep 2006
Posts: 7,531
Hall of Famer
|
|
Hall of Famer
Joined: Sep 2006
Posts: 7,531 |
Quote:
Quote:
http://m.cnn.com/primary/_9fy5f6-iUs8lPQSoQ
So facebook has this new app that let's friends know where there phone is. So if you go to applebees on main street, your status is updated to "John smith" has checked into applebees, main street. Brilliant.
Now they need an app that let's people know where your spare house key s, or maybe your bank pin
So basically it is Google latitude for Facebook?
It's Facebook's take on Foursquare.
Should be interesting how people view this. Foursquare is the gold standard for location-based services, but they don't have Facebook's resources and 4sq hasn't grown as fast as, say, Twitter.
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
Never heard of foursquare
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 13,727
Legend
|
|
Legend
Joined: Sep 2006
Posts: 13,727 |
It's like when you're in jail and get an extra meal for good behaviour.
gmstrong -----------------
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
Quote:
It's like when you're in jail and get an extra meal for good behaviour.
So it's prison rape if you don't share?
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 7,531
Hall of Famer
|
|
Hall of Famer
Joined: Sep 2006
Posts: 7,531 |
Quote:
Never heard of foursquare
It's a location based game. You check in to where you're at and you receive points...you also can see who checked in at the same location and if any of your friends are checked in at locations near you.
Companies are just now beginning to offer discounts if you check in at their location on Foursquare. That's how it'll become mainstream, if you ask me.
|
|
|
|
|
Joined: Sep 2006
Posts: 15,015
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,015 |
Really?? Wow, who needs government security watching us, when we will just advertise our location all the time anyway. I remember a time when if someone called and I wasn't at home I didn't get the call, and they couldn't leave a message so they had to call back when they thought you might be home. And they couldn't check the internet to find out if I was near my home. Now people call my cell phone, and if i don;t answer they call again and again right away, til I pick it up and say "If I wanted to talk right now I would have picked up the phone, quit calling and leave a damn message" then I hang up. Well unless it's my mom or the wife. 
We don't have to agree with each other, to respect each others opinion.
|
|
|
|
|
Joined: Sep 2006
Posts: 50,867
Legend
|
|
Legend
Joined: Sep 2006
Posts: 50,867 |
I really hate how everything in the world wants to let everyone else in the world know that you're online. I go to Yahoo mail and it wants to start a messenger session .... whether I want to or not. (until I took the time to find the way to disable it) I go to certain sites and they want me to log in using my facebook or other such crap so I can be better "connected". Why? Is it anyone's business if I am on a certain Roku forum or other such site? Go to justin.tv .... why would I want to log in using my facebook or any other such credentials? Man ... the whole internet is turning into a stalker's dream anymore.  lol
Micah 6:8; He has shown you, O mortal, what is good. And what does the Lord require of you? To act justly and to love mercy, and to walk humbly with your God.
John 14:19 Jesus said: Because I live, you also will live.
|
|
|
|
|
Joined: Sep 2006
Posts: 15,171
Legend
|
|
Legend
Joined: Sep 2006
Posts: 15,171 |
Ain'tcha heered, Y.....
Privacy is for Old People.
Nowadays, letting the entire world know what you had for dinner last night is the way to go. If you really want 'followers,' you should also tell them how long it took you to get rid of that dinner this morning.
I find it creepy,, wierd.... and just a little pathetic.
Whatever happened to busting one's hump to learn a skill, THEN using it to get noticed?
I just don't get it....
[shrugs]
"too many notes, not enough music-"
#GMStong
|
|
|
|
|
Joined: Sep 2006
Posts: 50,867
Legend
|
|
Legend
Joined: Sep 2006
Posts: 50,867 |
Yeah .... I'm not sure I understand this whole lifecasting thing ...... man, I just don't want total strangers knowing that much about me. I had a friend send me a 'cool link" to a youtube video of a girl talking about nothing while riding in her mothers car. I am really worried about my friend ... because that was flat out stupid. I really expect one day soon for someone to take a picture of the remains in the toilet bowl and post it ... and they'll get 500 followers.
Micah 6:8; He has shown you, O mortal, what is good. And what does the Lord require of you? To act justly and to love mercy, and to walk humbly with your God.
John 14:19 Jesus said: Because I live, you also will live.
|
|
|
DawgTalkers.net
Forums DawgTalk Tailgate Forum Facebook bug spills name and pic
for all 500 million users
|
|
