Ahmad Halabi

Published On: 31 Oct 2019

Viewing Facebook Contacts On Locked Device

Privacy/Authentication
Messenger | Android
---
LOW VALID

This bug allows malicious attacker to view victim's Facebook contacts on locked device after accepting call and clicking "Add contacts".

Description

This attack should be done physically where the attacker should be able to have physical access to victim's phone.

Impact

Viewing Facebook Contacts without unlocking the phone which violates privacy policy.




Reproduction Steps

Step
1

Set a lock screen for your phone then lock it.

Step
2

From another account -> give your first account a call through messenger.

Step
3

Click on 'ANSWER' button to answer the call -> at bottom left there is a button inside it there is a girl logo with '+' sign to add friends to the chat -> click it.

Step
4

You will notice the friends list appear and you can scroll up and down to see the friends (it appeared without taking you or telling you to unlock your phone password or PIN).

Videos

Timeline
.
Ahmad 23 Aug 2019

Initial Report

.
Facebook 27 Aug 2019

Report Closed as Informative

.
Ahmad 27 Aug 2019

Sent more info about impact

.
Facebook 28 Aug 2019

Report Triaged

.
Facebook 31 Oct 2019

Report Fixed

.
Facebook 31 Oct 2019

Bounty Awarded

VALID






Show All Images