'[Full-disclosure] Fake messages and chat bug in Facebook'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [Full-disclosure] Fake messages and chat bug in Facebook
From:       Matteo Fabbri <matteo () phascode ! org>
Date:       2012-06-29 19:08:41
Message-ID: CAJ9pv0LOxr0hqp08XRMGrDXfT-nxBXvEQRRPG_04wfqOuPK0eQ () mail ! gmail ! com
[Download RAW message or body]

[Attachment #2 (multipart/alternative)]


Knowing the user registration email is possible to send fake messages /
chat to facebook users.
The only thing required is a fake mail with as the sender the victim
registration  email addressed to the facebook ids followed by "@facebook.com
"

Example:

from victim.email@hotmail.com to friend1@facebook.com, friend2@facebook.com.
..

Sent email will be shown in Facebook like a private message (or chat if
multiple recipients are specified) sent by the Facebook account of the
victim.

(Previously reported vulnerabilities to Facebook)


Matteo Fabbri

[Attachment #5 (text/html)]

Knowing the user registration email is possible to send fake messages / chat to facebook \
users.<br>The only thing required is a fake mail with as the sender the victim registration  \
email addressed to the facebook ids followed by &quot;@<a \
href="http://facebook.com">facebook.com</a>&quot;<br> <br>Example:<br><br>from <a \
href="mailto:victim.email@hotmail.com">victim.email@hotmail.com</a> to <a \
href="mailto:friend1@facebook.com">friend1@facebook.com</a>, \
friend2@facebook.com...<br><br>Sent email will be shown in Facebook like a private message (or \
chat if multiple recipients are specified) sent by the Facebook account of the victim.<br> \
<br>(<span id="result_box" class="short_text" lang="en"><span class="hps">Previously \
reported</span> <span class="hps">vulnerabilities</span> to <span \
class="hps">Facebook</span></span>)<br><br><br>Matteo Fabbri<br>



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic