Hacker News new | comments | ask | show | jobs | submit login
Getting any Facebook user's friend list and partial payment card details (josipfranjkovic.com)
416 points by franjkovic 10 months ago | hide | past | web | favorite | 91 comments

Important last-line: "It took Facebook's team 4 hours and 13 minutes to fix the issue - the fastest report-to-fix for me."

There's an important unstated property too, btw. OP reported an information disclosure bug in payment handling code. A bug in the core logic of what literally brings money in.

That kind of bug report is bound to get a very quick triage, followed by a very quick escalation.

But yes, even with that in mind: a 4-hour turnaround is damn impressive.

I work at one of the other Big4 and to be honest it's not that impressive. This kind of report would be a high severity ticket, the person on-call for the given team would get paged, and wouldn't stop working/escalating until it got fixed.

Obviously not all companies behave this way, but they should!

Then you need to push the new software to prod. 4h is impressive.

Wow. That is extremely impressive that such a large company is able to get a fix out that quickly.

The fix is probably 10 minutes but the deployment process, intake process and notification process took 3 1/2 hours

Is there an article or blog post somewhere about what Facebook's deployment process is like? It must be a massive operation.

What about code review process? Surely someone else verified the fix before deployment.

FB uses Phabricator, which was spun out into an open-source project:


If it took much longer than that for bugs like this, all of the HN doomsday posts about the Facebook mass exodus might actually come true

I think people leaving facebook en masse would be a good thing (TM) for society, not a doomsday. Fewer echo chambers, less disinformation, and people forced to make effort to contact each other.

It will only be replaced with another echo chamber.

Hopefully multiple smaller ones.

Already there - whatsapp, instagram oops...

Hacker news....

Hacker News is at least somewhat informative in the tech sphere. It tends to favor more esoteric technology like Lisp in lieu of things like Java & JavaScript which is far more favored on Reddit/Programming. Politics are mostly left leaning mixed with some Libertarian views. There is a good splattering of non tech stuff as well (music, art, literature, linguistics...etc). I'd say it's a far cry from fake news and cat videos.

Its cause of the people. The more popular something is the worse it gets until eventually its all cats and outrage-culture "fake news". The medium is irrelevant.

Media sucks because you* suck.

*The collective societal you, not the particular individual you.

I think some studies have shown that the same set of people (or, let's say, people randomly assigned to one group or the other) can have very different behavior depending on the situation they're in. It seems at least possible that a forum could maintain its rules and norms while people join... though received wisdom says that if too many join at once, then the norms can be broken.

Yea, but HackerNews is really only going to appeal to a select group of people. Computer illiterate folk aren't going to be talking about compilers, lisp, APL, Smalltalk, blockchain, or the other 1000 compsci things that come up on here daily.

This effect is partially muted by the fact that one can only see the vote status of one’s own post. There is still a tendency toward conformity, but at least the suggestion to vote with other readers isn’t apparent like it is on many content aggregators/discussion media.

Yeah but I can predict pretty accurately which of my posts will get downvoted and they all have the same thing in common; they challenge the left-leaning groupthink common here.

Some might claim they get downvoted because they are "low quality" to which I'd retort why spend a lot of time crafting a "quality" reply when you know it's going to be suppressed?

While it might just be me, I find myself downvoting your comments purely because I find them low-quality noise (or worse) that I'd rather not see more of.

I even tagged you as 'shitty commenter', which I don't do this too often. But with some commenters I'm just amazed at how they can consistently keep this up without tiring of it.

Except downvoted posts here turn gray.

Which is why I make a point of logging in and upvoting the non-egregious ones.

Oh, look at them rush to White Knight their own bubble. "Not OUR echo chamber, no! We're different, you see, because reasons."

Scuttlebutt, mastodon, Riot, gab, stack overflow, d.tube, the list goes on

Some crtical thinking would be good for a society. Tools are just tools.

I've been following Josip's work on and off for years now (he's probably on every big white hat hall of fame there is), and I'm pretty sure he wouldn't go public even if it took them a month to fix this.

If he said in a public blog post that it took them a month to fix something so simple, I could see the shit storm aimed at Facebook on social networks (including here), but I highly doubt any user would be compromised.

It's a trivial bug. If the parameter is invalid, return nothing, rather than return all the credit cards.

I'd be worried if any company is not able to understand the problem and publish a patch in a few hours.

The fix isn't the hard part. It's the deployment and validation that can take time.

Pretty impressive.

Yep, clearly shows the value of a properly configured CI/CD pipeline.

Yeah here it is:

git pull; sh tests; rsync /prod/ all@prod:/var/www/

^ That is copyrighted by the way. Ill take a consultant fee. I know - I know it should be thousands of lines of puppet, jenkins, hooks, Kubernetes, Salt, and 2 million lines of python and ELM all piped through Docker containers -- I am NOT an animal.

Enterprise edition with test validiation and continuous deployment:

while true; do git pull; sh tests && rsync /prod/ all@prod:/var/www/;done

You forgot to rewrite the logic in xml, and then fetch it over the internet from unknown third parties by tunneling it through json, then http. Bonus points if the the whole thing is deployed via docker hub.


those ... those semicolons should be &&

You need to invoke the script via ‘sh -ex’ for proper exception handling + debuggability.

Also, mktemp and shell exit traps are your friends.

Except that this is Facebook, so `sh tests` is going to take 900 cpu-hours

Git pull - you have a staging server!?

I'd more impressed in some other context since a willingness to skimp on validation and "red tape" is how a bug like this ends up in production in the first place.

What validation? I'd assume for this one they'd take the "move fast and break things" approach.

The deployment and the validation should be trivial if the fix is trivial.

The difficult part is having someone who reads the report and escalates it, preferably in a timely manner.

The world is littered with the smoking, segfaulted, hulks of programs that were quickly deployed after an obvious fix.

> The deployment and the validation should be trivial if the fix is trivial.

Trivial. That's what Oculus said.

> If the parameter is invalid, return nothing, rather than return all the credit cards

I don’t think that’s the bug here, bug here is the authorization check not being there.

That parameter is trivial to obtain using other ways even now.

Agreed! Security bugs are going to happen in any sufficiently large piece of software (that wasn’t written by djb). The important thing is to work hard towards minimizing them, and fixing them quickly once found - seems to me Facebook does a good job on both of these points.

Who is djb?

Thinking now about that line I heard from a consultant a month ago: "Facebook got 20 lawyer firms hired to check if the 30 lawyers firm they hired first did their job well regarding the GDPR".

Did they notify users whose data were compromised ?

That's because you should never have first 6 and last 4 in the same place at the same time, particularly to someone who is not the owner of the card!

That leaves only 6 digits to guess to obtain a valid card, and you're given the check digit to limit the search further.

First six and last four are the limits for display set out by the PCI Security Standards Council. The things you should never store with the PAN are the PIN/PIN block or CVC/CVV.


While it complies with PCI standards, knowing first6+last4, plus contact information, you can be much more successful at phishing against the target.

First6 will give you ability to know the issuing bank of the card (so an email can be crafted to look like those banks emails). Plus last4 tends to be used by banks as a "hey, we know who you are!" when they send emails.

You might need them to reverse or refund the transaction with some payment gateways. Or if you are going to settle the funds at a time after authorization when shipping

How does that work? If you can't store the CVC/CVV, how come I don't have to re-enter it when I re-order form say Amazon or Foodora? Or maybe I do have to enter it? Don't remember :|

Most MSP (merchant service provider) gives you control over the details you personally want to capture to verify someone. The minimum and most insecure is simply approving card based on valid number! (Not even expiration date). Then you can enable EXP, CVV and AV (address verification). Fun tip about AV: your adres doesnt matter. There is so many spellings of "oak harbour drive apartment 2" that industry pretty much gave up on some smart AI knowing them all, it and only verifies the zip code (typical gas station card usage for credit cards: verification is your zip code)

Address line 1 in AVS is still used, however, only the numeric portion of the address is checked. The AVS results will generally tell you the individual match results for the address line and the postal code, so you can have a full match or a partial match. Most merchants will allow you through with a partial match.

A secure token is provided by the credit card processor that the vendor can safely store and reuse after the first successful transaction.


They are registering the fact that you knew it and used it to ship to a specific address in a previous transaction in order to reduce fraud risk. They aren't submitting it with every transaction. (Assuming they are following the rules...)

Amazon, specifically, never asks for CVC/CVV in the first place.

It is not required for charging a card, it is for reducing fraud.

Neither first six nor last four are considered PCI sensitive data. Not saying they should be randomly displayed, but in the context of many fintech apps they will be displayed together.

First 6 is shared across the cards a particular bank issues. Its not a secret as you can google the first 6 to find the bank or even the reverse google the bank to see what BINs they use. Last 4 is intended to be human visible so people can identify the card in use. When you factor in the check digit ruling out 90% of the remaining combinations, there are still 10,000 valid cc combinations plus an expiration date you would have to guess just to get a single acct.

They were publishing the expiry date too.

More details as an explanation.

Facebook was providing:

  Cardholder Name
  First 6
  Last 4
  Expiry Date
  Billing Address.
The only bits missing were CVV and the middle 6.

Yes, first 6 and last 4 are not considered sensitive for PCI compliance. However, like most security standards, the standard is a minimum, not what your target should be.

Given the ability for attackers to quickly guess CVV and the remaining digits[1], the attack becomes a numbers game. They don't care about _a_ card, they care about _any_ card.

This is why Visa and MasterCard are pushing to tokenize all cards - so the stored information is linked to the merchant storing it and can't be reused.

That's even before we take into account the account take over possibilities since those card details are used by other companies as verification for account recovery[2]. Yes, those vulnerabilities were closed, but that doesn't stop new companies from making the same mistakes.

Yes, it's impressive that they managed to prune the fields so quickly. Shows a very efficient escalation path!

[1] https://www.theregister.co.uk/2016/12/05/undetectable_sixsec...

[2] https://www.wired.com/2012/08/apple-amazon-mat-honan-hacking...

Random question I've never found a place to ask before. Is there a formal language or method for specifying information like this, where I could map out different pieces of data and reason about how the pieces of data flow through a system, to prove mathematically that two (or n) pieces of data are never available in the same place?

You might model software data and operations in some formal system at various levels using a language like "coq" and develop some formal verification proofs. I've not read this book that apparently explores verifications like these: "Certified Programming with Dependent Types: ...".

I'm not sure what types of enterprises actually use formal verification since it's very costly. Writing software is much faster than verifying it. Embedded auto, aerospace, industrial applications, sure. Facebook? I doubt it.

Such methods could be useful, maybe coupled with fuzzing, for breaking software too. It might suggest avenues for exploit.

Systems like coq are used more naturally in math proofs, but even there it's very hard to apply.

It came up for me when designing a custodial management system for cryptocurrencies, where you could design it in such a way that the different steps/sensitive data were divided among separate systems and communication channels. I wanted some way to divide up responsibilities for processing a transaction (initiation, audit, control, approval, transmission) and then prove that any single component could be 100% compromised without allowing further unauthorized transactions. Even introducing temporary transformations (encryption/hashing) and re-routing keys specifically to prevent collisions of that data.

I noticed how similar the thought process was to GDPR work I've been involved in, where, for example, we can keep track of Last name and Phone Number in our company, but they could never be at rest unencrypted and unhashed in the same system. Or First Name + Job Title + Location but only 2 of those three can co-exist. It seemed like the kind of thing that would have a formal way of expressing. Our GDPR consultants were unhelpful in that.

You should vs human nature. We introduce bugs. Please don't be cynical, and cheer this up.

Kudos to facebook team that they responded shortly, I cannot tell if it was work hours or not, but either way, this is very very short in the context of large corporations.

I don't read at all the cynicism you seem to read.

A: that was fast!

B: that's because it was very serious!

Where is the cynicism? Can it not be summarized as: they fixed a serious issue very quickly?

"That's because you should never have first 6 and last 4 in the same place at the same time, particularly to someone who is not the owner of the card!"

Sounded to me more like "of course they fixed it fast, this is a serious issue", and undermined the speed it get resolved. Probably my bad.

".. Facebook's team .."

Most likely a single dedicated person at FB.

I guess it's cultural, but I have observed many times that especially in America, there is a lot of emphasis on individualism - the cult of the person and their own achievements is placed above all else.

Even if the fix was done by one "dedicated employee" , they still belong to a team of people working together. I feel like singling out one person like this is almost rude to the rest of the team.

Do you mean that FB only has one single dedicated person looking at Whitehat tickets or that a single developer made the fix?

A single developer made the fix.

And in all likelihood, someone else monitored the incoming reports, recognized that this was a high-priority issue, and fast-tracked it to the developer. On top of that, I don't know Facebook's process that well, but releasing something that quickly probably involved some coordination to get it out so fast. Maybe someone else verified it, maybe someone fast-tracked it through the approval / launch process, etc.

Even things like bugfixes are rarely entirely creditable to only developers.

Judging by the name of the endpoint, it probably wasn't a super-complicated fix anyway - just disable / blacklist the endpoint that was obviously a mistake / test.

Who sometimes has a day off, or takes a vacation, or has an illness, so you’re looking at a minimum of 3 persons...

They have a dedicated Bug report team that sifts through the nonsense so it can't just be one person..

Wait, why would facebook have CC info? I have never paid facebook for anything (except in terms of ad views), and I'm not even sure what I could pay them for? Posting ads I guess? But that's gonna be not a lot of people.

So if somehow their graph api has pulled up my credit card number into their database, that's the disturbing thing...

> Posting ads

Advertisement is Facebook's #1 revenue model, its literally why they exist. I wish everyone who's used FB would sign up for a business page and place an ad; it's illuminating to see just how detailed their tools are.

Same with Google PPC and Bing etc etc.

I shudder to think at just how detailed the profiles are that FB, AMZN et al keep on each of its users.

> Advertisement is Facebook's #1 revenue model, its literally why they exist.

It's how they exist, not why.

I do agree that their data collection is very creepy.

They offer a cash transfer service via Messenger (similar to Apple Pay Cash or Snap Cash where you hand over a debit card and then you can send money to friends).

I believe they also used to have a system (maybe they still do?) where you could buy "Facebook Credits" to use on Facebook platform games, essentially microtransactions.

They also used to have a thing where you could buy, with real money IIRC, little icons for your "friends"; quite some time back I think.

They've had previous monetization methods, as well as submitting donations, sending cash to friends, paying for advertising, etc.

I wonder what the `CSPlaygroundGraphQLFriendsQuery` query is meant for. It sounds like some testing/development thing.

`CS` in this context stands for ComponentScript. It appears to have something to do with React Native.

`CSPlaygroundGraphQLFriendsQuery` is a demonstration for Facebook engineers internally to show how to display a list of "oneself's friends with auto-pagination" using GraphQL and ComponentScript inside their Facebook main app

P.S. I don't work at Facebook. But this is something I stumbled across their app.

Like the demo was released and accessible in the app? Or did you see it in the RN JS code?

The demo is included as part of their main app (even in production) (at least in Facebook for Android), and was supposedly only accessible by Facebook engineers.

What bounty did he receive for filing this?

I thought Facebook considered the Friends list to be public? They removed the ability to hide the list years ago.

No, I can still hide my friend’s list. Settings > Privacy > “Who can see your friends list?”

Friend List can be made private through your privacy settings.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact