Exploit for Facebook For Android Friend Acceptance

Name: Exploit for Facebook For Android Friend Acceptance
Rating: 5 (195 reviews)
2021-08-10 | CVSS -0.4
## https://sploitus.com/exploit?id=PACKETSTORM:163773
Author - Sivanesh Ashok | @sivaneshashok | stazot.com  
  
Date : 2021-08-03  
Vendor : https://facebook.com/  
Version : *  
Tested on : Version 329.0.0.29.120, Android 10  
Last Modified : 2021-08-10  
  
  
--[ Bug Description  
  
Facebook for Android is vulnerable to a permission issue which allows  
anyone with physical access to the Android device, to accept friend  
requests without unlocking the phone. The bug works when the device's lock  
screen notification setting is set to "Show sensitive content when locked".  
The victim user who set "Show sensitive content when locked", would not  
know that the app also allows such sensitive action to be performed when  
locked.  
  
An attacker who has access to the victim's locked phone will be able to add  
the victim as a friend and collect personal information about the victim  
such as email, DoB, check-ins, pictures and other information that the  
victim shared to be visible only to their friends.  
  
  
--[ Steps to reproduce  
  
As the attacker:  
1. Get your hands on the victim's locked phone.  
2. Send friend request to the victim.  
3. See the notification about your friend request on the victim's locked  
phone.  
4. Expand the friend request and touch the Confirm button.  
5. Note that you are now friends with the victim.  
6. Check the information that the victim has shared only with their friends.  
  
  
--[ Proof of Concept  
  
Here is a video PoC of this bug - https://youtu.be/RbBspN-0r-U  
  
  
--[ Responsible Disclosure  
  
I reported the bug to Facebook, and they seem to not consider this a valid  
security, "as the user is in control of their notifications and can prevent  
this kind of scenarios by adjusting their phone's settings". An interesting  
decision, since the user only wants to "Show sensitive content when  
locked", and not "Modify sensitive content when locked". Also, other push  
notifications on Facebook/Messenger/Instagram do not behave the same. So, I  
think it is worth a patch. Wonder if Facebook will consider it a security  
risk if it was possible to accept follow requests to a private Instagram  
account from a locked phone.  
  
  
--[ Contact  
  
Name : Sivanesh Ashok  
Twitter : @sivaneshashok  
Website : https://stazot.com