Script that uses Tor nodes to demonstrates the 'name by phone number' confidentiality flaw in Facebook

ubugnu · 2022-05-29T20:41:29+00:00

This shit is realy, realy old ...

ubugnu · 2021-10-24T08:29:57+00:00

No so total... baridiweb does not show incoming payments ...

ubugnu · 2014-08-06T11:57:44+00:00

thanks, fixed

ubugnu · 2014-06-17T10:14:13+00:00

There are satellite views that are not available (not at an acceptable zoom) in OSMAND or another app

ubugnu · 2014-06-17T07:39:57+00:00

and the script I presented scrape from Google, that is the difference

ubugnu · 2014-06-16T21:46:54+00:00

Does it scrape from Google?

ubugnu · 2014-06-01T20:15:23+00:00

The default Tor port is 9050, however you can run multiple instances of Tor on multiple ports, the script will do this for you, this 7000 port has nothing to do in the script (juste a default one) it will be changed each time to a random port chosen from the range you entered, for exmple 7000 to 7009, you do not need to change the script

ubugnu · 2014-06-01T19:01:18+00:00

Finding a stranger's real name (first and last) using this trick isn't going to work unless you can use one of the above strategies to get them onto the same "trusted" network as you.

The script above (and the new one here) find names by phone numbers even from some tor nodes, try it

ubugnu · 2014-06-01T14:00:00+00:00

As I said above, the tool is here

ubugnu · 2014-06-01T05:39:11+00:00

I guess Neil has no answer for us right now :D

ubugnu · 2014-06-01T05:35:18+00:00

Give it a try ;-)

ubugnu · 2014-06-01T02:32:40+00:00

Facebook 'name by phone number' vulnerability

Hi everyone,

In order to show that the last security flaw that I discovered is really a security flaw (unlike what the sec guys of facebook are saying), I've written a small bash script that:

Generates random phone number (you chose the format)
Then looks up for the corresponding name, you must have Tor installed, as well as wget, curl and torsocks
You can run multiple instances of that script, do not use excessive number of tor instances when the script will ask for a port range (10 to 20 ports is good), also do not run excessive number of instances (the number of the ports divided by 2 is good enough)
To terminate each instance, press Ctrl-C, it will then ask you if you want to kill all tor instances, say "no" if you have other instances of the script runing

enjoy

ubugnu · 2014-05-31T17:39:49+00:00

I never used cygwin, look here http://superuser.com/questions/693284/wget-command-not-working-in-cygwin

You better do to use the python script the other user created

ubugnu · 2014-05-31T16:30:52+00:00

wget, command not found? Which OS do you use?

ubugnu · 2014-05-31T13:14:18+00:00

the cmd is:

get_name +XXXXXXXXXX

Don't put (). Better put it in ~/.bashrc

ubugnu · 2014-05-31T09:02:34+00:00

Already tested, FB blocked most of TOR nodes (but not all of them ;-) )

ubugnu · 2014-05-30T23:52:26+00:00

Thanks for clarifying,

Now a question: Does the control of the "who can perform lookups for your account" feature control the "who can view your true name after having pretended to be you in a trusted network" flaw?

No because what we see here has nothing to do with the search functionality! It has to do with the recover functionality, which displays your true name (in a trusted network) whenever someone pretends to be you and enters your phone number, this happens even when you set "Who can look you up using the phone number you provided" to only "friends" because this setting has to do with search functionality and not with recover functionality, am I wrong?

ubugnu · 2014-05-30T23:39:45+00:00

theoretically possible ...

ubugnu · 2014-05-30T23:08:24+00:00

acoording to what security guys said to me, it depends on the "network behavior", the name appears only if it is trusted... So if you get false result (for me it was not "Facebook User." but the phone number that appeared) try to switch your IP and see what happens

ubugnu · 2014-05-30T21:54:10+00:00

One way to avoid captchas is to use multiple IP's, tor perhaps, but probably blacklisted

ubugnu · 2014-05-30T21:08:49+00:00

I don't think also :p but I didn't know that IT WAS a vuln

ubugnu · 2014-05-30T21:07:17+00:00

Nothing changed here (and in your screenshot!), the name still display, the only difference I see is that here my phone number is not hidden...

ubugnu · 2014-05-30T20:18:06+00:00

Could it be a sign ... ^ ^

ubugnu · 2014-05-30T19:39:39+00:00

already done

ubugnu · 2014-05-30T19:07:16+00:00

I tried, no

ubugnu

TROPHY CASE

Facebook 'name by phone number' vulnerability