story

Getting any Facebook user's friend list and partial payment card details (opens in new tab)

josipfranjkovic.com

416 pointsfranjkovic8y ago91 comments

91 comments

Important last-line: "It took Facebook's team 4 hours and 13 minutes to fix the issue - the fastest report-to-fix for me."

bostik8y ago

There's an important unstated property too, btw. OP reported an information disclosure bug in payment handling code. A bug in the core logic of what literally brings money in.

That kind of bug report is bound to get a very quick triage, followed by a very quick escalation.

But yes, even with that in mind: a 4-hour turnaround is damn impressive.

jomkr8y ago

I work at one of the other Big4 and to be honest it's not that impressive. This kind of report would be a high severity ticket, the person on-call for the given team would get paged, and wouldn't stop working/escalating until it got fixed.

Obviously not all companies behave this way, but they should!

pbalau8y ago

Then you need to push the new software to prod. 4h is impressive.

cheeze8y ago

Wow. That is extremely impressive that such a large company is able to get a fix out that quickly.

wolco8y ago

The fix is probably 10 minutes but the deployment process, intake process and notification process took 3 1/2 hours

neotek8y ago

Is there an article or blog post somewhere about what Facebook's deployment process is like? It must be a massive operation.

2 more replies

styfle8y ago

What about code review process? Surely someone else verified the fix before deployment.

1 more reply

aje4038y ago

If it took much longer than that for bugs like this, all of the HN doomsday posts about the Facebook mass exodus might actually come true

stochastic_monk8y ago

I think people leaving facebook en masse would be a good thing (TM) for society, not a doomsday. Fewer echo chambers, less disinformation, and people forced to make effort to contact each other.

2 more replies

r3bl8y ago

I've been following Josip's work on and off for years now (he's probably on every big white hat hall of fame there is), and I'm pretty sure he wouldn't go public even if it took them a month to fix this.

If he said in a public blog post that it took them a month to fix something so simple, I could see the shit storm aimed at Facebook on social networks (including here), but I highly doubt any user would be compromised.

user59944618y ago

It's a trivial bug. If the parameter is invalid, return nothing, rather than return all the credit cards.

I'd be worried if any company is not able to understand the problem and publish a patch in a few hours.

compiler-guy8y ago

The fix isn't the hard part. It's the deployment and validation that can take time.

Pretty impressive.

4 more replies

mkagenius8y ago

> If the parameter is invalid, return nothing, rather than return all the credit cards

I don’t think that’s the bug here, bug here is the authorization check not being there.

That parameter is trivial to obtain using other ways even now.

yashap8y ago

Agreed! Security bugs are going to happen in any sufficiently large piece of software (that wasn’t written by djb). The important thing is to work hard towards minimizing them, and fixing them quickly once found - seems to me Facebook does a good job on both of these points.

chirau8y ago

Who is djb?

grzm8y ago

Daniel J Bernstein

https://en.wikipedia.org/wiki/Daniel_J._Bernstein

johnchristopher8y ago

Thinking now about that line I heard from a consultant a month ago: "Facebook got 20 lawyer firms hired to check if the 30 lawyers firm they hired first did their job well regarding the GDPR".

Did they notify users whose data were compromised ?

jpollock8y ago

That's because you should never have first 6 and last 4 in the same place at the same time, particularly to someone who is not the owner of the card!

That leaves only 6 digits to guess to obtain a valid card, and you're given the check digit to limit the search further.

packetized8y ago

First six and last four are the limits for display set out by the PCI Security Standards Council. The things you should never store with the PAN are the PIN/PIN block or CVC/CVV.

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storag...

kyrra8y ago

While it complies with PCI standards, knowing first6+last4, plus contact information, you can be much more successful at phishing against the target.

First6 will give you ability to know the issuing bank of the card (so an email can be crafted to look like those banks emails). Plus last4 tends to be used by banks as a "hey, we know who you are!" when they send emails.

1 more reply

kevindqc8y ago

How does that work? If you can't store the CVC/CVV, how come I don't have to re-enter it when I re-order form say Amazon or Foodora? Or maybe I do have to enter it? Don't remember :|

4 more replies

asdfjklas8y ago

Neither first six nor last four are considered PCI sensitive data. Not saying they should be randomly displayed, but in the context of many fintech apps they will be displayed together.

pinkythepig8y ago

First 6 is shared across the cards a particular bank issues. Its not a secret as you can google the first 6 to find the bank or even the reverse google the bank to see what BINs they use. Last 4 is intended to be human visible so people can identify the card in use. When you factor in the check digit ruling out 90% of the remaining combinations, there are still 10,000 valid cc combinations plus an expiration date you would have to guess just to get a single acct.

jpollock8y ago

They were publishing the expiry date too.

jpollock8y ago

More details as an explanation.

Facebook was providing:

  Cardholder Name
  First 6
  Last 4
  Expiry Date
  Billing Address.

The only bits missing were CVV and the middle 6.

Yes, first 6 and last 4 are not considered sensitive for PCI compliance. However, like most security standards, the standard is a minimum, not what your target should be.

Given the ability for attackers to quickly guess CVV and the remaining digits[1], the attack becomes a numbers game. They don't care about _a_ card, they care about _any_ card.

This is why Visa and MasterCard are pushing to tokenize all cards - so the stored information is linked to the merchant storing it and can't be reused.

That's even before we take into account the account take over possibilities since those card details are used by other companies as verification for account recovery[2]. Yes, those vulnerabilities were closed, but that doesn't stop new companies from making the same mistakes.

Yes, it's impressive that they managed to prune the fields so quickly. Shows a very efficient escalation path!

[1] https://www.theregister.co.uk/2016/12/05/undetectable_sixsec...

[2] https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

philipodonnell8y ago

Random question I've never found a place to ask before. Is there a formal language or method for specifying information like this, where I could map out different pieces of data and reason about how the pieces of data flow through a system, to prove mathematically that two (or n) pieces of data are never available in the same place?

nwatson8y ago

You might model software data and operations in some formal system at various levels using a language like "coq" and develop some formal verification proofs. I've not read this book that apparently explores verifications like these: "Certified Programming with Dependent Types: ...".

I'm not sure what types of enterprises actually use formal verification since it's very costly. Writing software is much faster than verifying it. Embedded auto, aerospace, industrial applications, sure. Facebook? I doubt it.

Such methods could be useful, maybe coupled with fuzzing, for breaking software too. It might suggest avenues for exploit.

Systems like coq are used more naturally in math proofs, but even there it's very hard to apply.

1 more reply

tehlike8y ago

You should vs human nature. We introduce bugs. Please don't be cynical, and cheer this up.

Kudos to facebook team that they responded shortly, I cannot tell if it was work hours or not, but either way, this is very very short in the context of large corporations.

asveikau8y ago

I don't read at all the cynicism you seem to read.

A: that was fast!

B: that's because it was very serious!

Where is the cynicism? Can it not be summarized as: they fixed a serious issue very quickly?

1 more reply

tintor8y ago

".. Facebook's team .."

Most likely a single dedicated person at FB.

gambiting8y ago

I guess it's cultural, but I have observed many times that especially in America, there is a lot of emphasis on individualism - the cult of the person and their own achievements is placed above all else.

Even if the fix was done by one "dedicated employee" , they still belong to a team of people working together. I feel like singling out one person like this is almost rude to the rest of the team.

sigsegv0xb8y ago

Do you mean that FB only has one single dedicated person looking at Whitehat tickets or that a single developer made the fix?

guessmyname8y ago

A single developer made the fix.

1 more reply

sneak8y ago

Who sometimes has a day off, or takes a vacation, or has an illness, so you’re looking at a minimum of 3 persons...

zitterbewegung8y ago

They have a dedicated Bug report team that sifts through the nonsense so it can't just be one person..

stormbrew8y ago

Wait, why would facebook have CC info? I have never paid facebook for anything (except in terms of ad views), and I'm not even sure what I could pay them for? Posting ads I guess? But that's gonna be not a lot of people.

So if somehow their graph api has pulled up my credit card number into their database, that's the disturbing thing...

kfrzcode8y ago

> Posting ads

Advertisement is Facebook's #1 revenue model, its literally why they exist. I wish everyone who's used FB would sign up for a business page and place an ad; it's illuminating to see just how detailed their tools are.

Same with Google PPC and Bing etc etc.

I shudder to think at just how detailed the profiles are that FB, AMZN et al keep on each of its users.

jlarocco8y ago

> Advertisement is Facebook's #1 revenue model, its literally why they exist.

It's how they exist, not why.

I do agree that their data collection is very creepy.

dave51048y ago

They offer a cash transfer service via Messenger (similar to Apple Pay Cash or Snap Cash where you hand over a debit card and then you can send money to friends).

I believe they also used to have a system (maybe they still do?) where you could buy "Facebook Credits" to use on Facebook platform games, essentially microtransactions.

pbhjpbhj8y ago

They also used to have a thing where you could buy, with real money IIRC, little icons for your "friends"; quite some time back I think.

tjbiddle8y ago

They've had previous monetization methods, as well as submitting donations, sending cash to friends, paying for advertising, etc.

amasad8y ago

I wonder what the `CSPlaygroundGraphQLFriendsQuery` query is meant for. It sounds like some testing/development thing.

wongmjane8y ago

`CS` in this context stands for ComponentScript. It appears to have something to do with React Native.

`CSPlaygroundGraphQLFriendsQuery` is a demonstration for Facebook engineers internally to show how to display a list of "oneself's friends with auto-pagination" using GraphQL and ComponentScript inside their Facebook main app

P.S. I don't work at Facebook. But this is something I stumbled across their app.

amasad8y ago

Like the demo was released and accessible in the app? Or did you see it in the RN JS code?

wongmjane8y ago

The demo is included as part of their main app (even in production) (at least in Facebook for Android), and was supposedly only accessible by Facebook engineers.

dirkdk8y ago

What bounty did he receive for filing this?

sp3328y ago

I thought Facebook considered the Friends list to be public? They removed the ability to hide the list years ago.

hooksfordays8y ago

No, I can still hide my friend’s list. Settings > Privacy > “Who can see your friends list?”

zaidf8y ago

Friend List can be made private through your privacy settings.

j / k navigate · click thread line to collapse

91 comments

tannerc8y ago

Important last-line: "It took Facebook's team 4 hours and 13 minutes to fix the issue - the fastest report-to-fix for me."

bostik8y ago

There's an important unstated property too, btw. OP reported an information disclosure bug in payment handling code. A bug in the core logic of what literally brings money in.

That kind of bug report is bound to get a very quick triage, followed by a very quick escalation.

But yes, even with that in mind: a 4-hour turnaround is damn impressive.

jomkr8y ago

Obviously not all companies behave this way, but they should!

pbalau8y ago

Then you need to push the new software to prod. 4h is impressive.

cheeze8y ago

Wow. That is extremely impressive that such a large company is able to get a fix out that quickly.

wolco8y ago

The fix is probably 10 minutes but the deployment process, intake process and notification process took 3 1/2 hours

neotek8y ago

Is there an article or blog post somewhere about what Facebook's deployment process is like? It must be a massive operation.

2 more replies

styfle8y ago

What about code review process? Surely someone else verified the fix before deployment.

1 more reply

aje4038y ago

If it took much longer than that for bugs like this, all of the HN doomsday posts about the Facebook mass exodus might actually come true

stochastic_monk8y ago

I think people leaving facebook en masse would be a good thing (TM) for society, not a doomsday. Fewer echo chambers, less disinformation, and people forced to make effort to contact each other.

2 more replies

r3bl8y ago

user59944618y ago

It's a trivial bug. If the parameter is invalid, return nothing, rather than return all the credit cards.

I'd be worried if any company is not able to understand the problem and publish a patch in a few hours.

compiler-guy8y ago

The fix isn't the hard part. It's the deployment and validation that can take time.

Pretty impressive.

4 more replies

mkagenius8y ago

> If the parameter is invalid, return nothing, rather than return all the credit cards

I don’t think that’s the bug here, bug here is the authorization check not being there.

That parameter is trivial to obtain using other ways even now.

yashap8y ago

chirau8y ago

Who is djb?

grzm8y ago

Daniel J Bernstein

https://en.wikipedia.org/wiki/Daniel_J._Bernstein

johnchristopher8y ago

Thinking now about that line I heard from a consultant a month ago: "Facebook got 20 lawyer firms hired to check if the 30 lawyers firm they hired first did their job well regarding the GDPR".

Did they notify users whose data were compromised ?

jpollock8y ago

That's because you should never have first 6 and last 4 in the same place at the same time, particularly to someone who is not the owner of the card!

That leaves only 6 digits to guess to obtain a valid card, and you're given the check digit to limit the search further.

packetized8y ago

First six and last four are the limits for display set out by the PCI Security Standards Council. The things you should never store with the PAN are the PIN/PIN block or CVC/CVV.

https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storag...

kyrra8y ago

While it complies with PCI standards, knowing first6+last4, plus contact information, you can be much more successful at phishing against the target.

1 more reply

kevindqc8y ago

How does that work? If you can't store the CVC/CVV, how come I don't have to re-enter it when I re-order form say Amazon or Foodora? Or maybe I do have to enter it? Don't remember :|

4 more replies

asdfjklas8y ago

Neither first six nor last four are considered PCI sensitive data. Not saying they should be randomly displayed, but in the context of many fintech apps they will be displayed together.

pinkythepig8y ago

jpollock8y ago

They were publishing the expiry date too.

jpollock8y ago

More details as an explanation.

Facebook was providing:

  Cardholder Name
  First 6
  Last 4
  Expiry Date
  Billing Address.

The only bits missing were CVV and the middle 6.

Yes, first 6 and last 4 are not considered sensitive for PCI compliance. However, like most security standards, the standard is a minimum, not what your target should be.

Given the ability for attackers to quickly guess CVV and the remaining digits[1], the attack becomes a numbers game. They don't care about _a_ card, they care about _any_ card.

This is why Visa and MasterCard are pushing to tokenize all cards - so the stored information is linked to the merchant storing it and can't be reused.

Yes, it's impressive that they managed to prune the fields so quickly. Shows a very efficient escalation path!

[1] https://www.theregister.co.uk/2016/12/05/undetectable_sixsec...

[2] https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

philipodonnell8y ago

nwatson8y ago

Such methods could be useful, maybe coupled with fuzzing, for breaking software too. It might suggest avenues for exploit.

Systems like coq are used more naturally in math proofs, but even there it's very hard to apply.

1 more reply

tehlike8y ago

You should vs human nature. We introduce bugs. Please don't be cynical, and cheer this up.

Kudos to facebook team that they responded shortly, I cannot tell if it was work hours or not, but either way, this is very very short in the context of large corporations.

asveikau8y ago

I don't read at all the cynicism you seem to read.

A: that was fast!

B: that's because it was very serious!

Where is the cynicism? Can it not be summarized as: they fixed a serious issue very quickly?

1 more reply

tintor8y ago

".. Facebook's team .."

Most likely a single dedicated person at FB.

gambiting8y ago

Even if the fix was done by one "dedicated employee" , they still belong to a team of people working together. I feel like singling out one person like this is almost rude to the rest of the team.

sigsegv0xb8y ago

Do you mean that FB only has one single dedicated person looking at Whitehat tickets or that a single developer made the fix?

guessmyname8y ago

A single developer made the fix.

1 more reply

sneak8y ago

Who sometimes has a day off, or takes a vacation, or has an illness, so you’re looking at a minimum of 3 persons...

zitterbewegung8y ago

They have a dedicated Bug report team that sifts through the nonsense so it can't just be one person..

stormbrew8y ago

So if somehow their graph api has pulled up my credit card number into their database, that's the disturbing thing...

kfrzcode8y ago

> Posting ads

Same with Google PPC and Bing etc etc.

I shudder to think at just how detailed the profiles are that FB, AMZN et al keep on each of its users.

jlarocco8y ago

> Advertisement is Facebook's #1 revenue model, its literally why they exist.

It's how they exist, not why.

I do agree that their data collection is very creepy.

dave51048y ago

They offer a cash transfer service via Messenger (similar to Apple Pay Cash or Snap Cash where you hand over a debit card and then you can send money to friends).

I believe they also used to have a system (maybe they still do?) where you could buy "Facebook Credits" to use on Facebook platform games, essentially microtransactions.

pbhjpbhj8y ago

They also used to have a thing where you could buy, with real money IIRC, little icons for your "friends"; quite some time back I think.

tjbiddle8y ago

They've had previous monetization methods, as well as submitting donations, sending cash to friends, paying for advertising, etc.

amasad8y ago

I wonder what the `CSPlaygroundGraphQLFriendsQuery` query is meant for. It sounds like some testing/development thing.

wongmjane8y ago

`CS` in this context stands for ComponentScript. It appears to have something to do with React Native.

P.S. I don't work at Facebook. But this is something I stumbled across their app.

amasad8y ago

Like the demo was released and accessible in the app? Or did you see it in the RN JS code?

wongmjane8y ago

The demo is included as part of their main app (even in production) (at least in Facebook for Android), and was supposedly only accessible by Facebook engineers.

dirkdk8y ago

What bounty did he receive for filing this?

sp3328y ago

I thought Facebook considered the Friends list to be public? They removed the ability to hide the list years ago.

hooksfordays8y ago

No, I can still hide my friend’s list. Settings > Privacy > “Who can see your friends list?”

zaidf8y ago

Friend List can be made private through your privacy settings.

j / k navigate · click thread line to collapse