
Getting any Facebook user's friend list and partial payment card details - franjkovic
https://www.josipfranjkovic.com/blog/facebook-friendlist-paymentcard-leak
======
tannerc
Important last-line: "It took Facebook's team 4 hours and 13 minutes to fix
the issue - the fastest report-to-fix for me."

~~~
jpollock
That's because you should never have first 6 and last 4 in the same place at
the same time, particularly to someone who is not the owner of the card!

That leaves only 6 digits to guess to obtain a valid card, and you're given
the check digit to limit the search further.

~~~
packetized
First six and last four are the limits for display set out by the PCI Security
Standards Council. The things you should never store _with_ the PAN are the
PIN/PIN block or CVC/CVV.

[https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storag...](https://www.pcisecuritystandards.org/pdfs/pci_fs_data_storage.pdf)

~~~
kevindqc
How does that work? If you can't store the CVC/CVV, how come I don't have to
re-enter it when I re-order form say Amazon or Foodora? Or maybe I do have to
enter it? Don't remember :|

~~~
joering2
Most MSP (merchant service provider) gives you control over the details you
personally want to capture to verify someone. The minimum and most insecure is
simply approving card based on valid number! (Not even expiration date). Then
you can enable EXP, CVV and AV (address verification). Fun tip about AV: your
adres doesnt matter. There is so many spellings of "oak harbour drive
apartment 2" that industry pretty much gave up on some smart AI knowing them
all, it and only verifies the zip code (typical gas station card usage for
credit cards: verification is your zip code)

~~~
davidgh
Address line 1 in AVS is still used, however, only the numeric portion of the
address is checked. The AVS results will generally tell you the individual
match results for the address line and the postal code, so you can have a full
match or a partial match. Most merchants will allow you through with a partial
match.

------
stormbrew
Wait, why would facebook have CC info? I have never paid facebook for anything
(except in terms of ad views), and I'm not even sure what I could pay them
for? Posting ads I guess? But that's gonna be not a lot of people.

So if somehow their graph api has pulled up my credit card number into their
database, _that 's_ the disturbing thing...

~~~
kfrzcode
> Posting ads

Advertisement is Facebook's #1 revenue model, its literally _why_ they exist.
I wish everyone who's used FB would sign up for a business page and place an
ad; it's illuminating to see just how detailed their tools are.

Same with Google PPC and Bing etc etc.

I shudder to think at just how detailed the profiles are that FB, AMZN et al
keep on each of its users.

~~~
jlarocco
> Advertisement is Facebook's #1 revenue model, its literally why they exist.

It's how they exist, not why.

I do agree that their data collection is very creepy.

------
amasad
I wonder what the `CSPlaygroundGraphQLFriendsQuery` query is meant for. It
sounds like some testing/development thing.

~~~
wongmjane
`CS` in this context stands for ComponentScript. It appears to have something
to do with React Native.

`CSPlaygroundGraphQLFriendsQuery` is a demonstration for Facebook engineers
internally to show how to display a list of "oneself's friends with auto-
pagination" using GraphQL and ComponentScript inside their Facebook main app

P.S. I don't work at Facebook. But this is something I stumbled across their
app.

~~~
amasad
Like the demo was released and accessible in the app? Or did you see it in the
RN JS code?

~~~
wongmjane
The demo is included as part of their main app (even in production) (at least
in Facebook for Android), and was supposedly only accessible by Facebook
engineers.

------
dirkdk
What bounty did he receive for filing this?

------
sp332
I thought Facebook considered the Friends list to be public? They removed the
ability to hide the list years ago.

~~~
hooksfordays
No, I can still hide my friend’s list. Settings > Privacy > “Who can see your
friends list?”

