Tuesday, 28 January 2014

Foursquare vulnerability that exposes 45 million users' email addresses

A location based Social Networking platform with 45 million users,'Foursquare' was vulnerable to the primary email address disclosed.


Foursquare is a Smartphone application that gives you details of nearby cafes, bars, shops, parks using GPS location and also tells about your friends nearby.

According to a Penetration tester and hacker 'Jamal Eddine',  an attacker can extract email addresses of all 45 million users just by using a few lines of scripting tool.

Basically the flaw exists in the Invitation system of the Foursquare app. While testing the app, he found that invitation received on the recipient's end actually disclosing the sender's email address, as shown above.


Invitation URL: 

https://foursquare.com/mehdi?action=acceptFriendship&expires=1378920415&src=wtbfe&uid=64761059&sig=mmlx96RwGrQ2fJAg4OWZhAWnDvc%3D

Where 'uid' parameter represents the sender's profile ID. 

Hacker noticed that the parameter in the Invitation URL can be modified in order to spoof the sender profile i.e. Just by modifying the value of 'uid' parameter, one can see the email ID of the respective user.

If someone is a good programmer, then dumping the complete database won’t be a difficult task. 

https://foursquare.com/mehdi?action=acceptFriendship&expires=1378920415&src=wtbfe&uid=35
https://foursquare.com/mehdi?action=acceptFriendship&expires=1378920415&src=wtbfe&uid=60
https://foursquare.com/mehdi?action=acceptFriendship&expires=1378920415&src=wtbfe&uid=65
https://foursquare.com/mehdi?action=acceptFriendship&expires=1378920415&src=wtbfe&uid=4444
And so forth...

The same question still persist that what can be done if someone knows my name and my email id? Many of us use same mail account on all of the social networking sites i.e. Primary email address, and if your personal email address gets leaked from any of the website, someone can start sending you spam, malware or phishing attempts. 

I think you don't want to be phished by any hacking group like Syrian Electronic hacker or this information can easily aid other cyber attacks.

In July, 2013, Similar vulnerability was reported on Facebook, discloses the primary email address of any Facebook user to hackers and spammers.

As a responsible bug hunter, he reported the flaw to Foursquare's Security Team, and they have finally fixed the issue.
Posted by
Labels:

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Blog Archive

Labels

Tutorial (129) Tech News (83) E-Books (55) Pdf (47) Hacking (46) Linux (32) Android (23) Programming (22) Tools (22) Video (21) Ethical Hacking (16) Electronics (12) Google (10) Hacked (9) Python (9) Facebook (8) Java (8) Software (8) PHP (7) Android App (6) C (6) Free Online Coureses (6) OpenSource (6) Ubuntu (6) Unix (6) Windows (6) C++ (5) Game Programming (5) Java Programming (5) Kali Linux (5) CodeKill (4) Cryptography (4) Firefox (4) JavaScript (4) Linux System Administrator (4) Mac (4) Penetration testing (4) Python Programming (4) Security (4) Top Distros (4) WhatsApp (4) CSS (3) Circuit (3) Cloud Computing (3) Game Devlopment (3) Hacking Tools (3) Malware (3) MicroController (3) Microsoft (3) Networking Tool (3) Perl (3) Source Code (3) WebSite (3) Windows 8.1 (3) C Programming (2) C Series (2) C# (2) CheetSheet (2) Computer (2) Computer Networking (2) Data Storage (2) Dual Boot (2) Eclipse (2) Edward Snowden (2) Exploit (2) Facts (2) Games On Linux (2) Google Chrome (2) HTML5 (2) Hacking Challenges (2) IDE's (2) Information Security (2) Lenovo (2) Linux Kernel (2) Malicious (2) Mobile (2) Motorola (2) Mozilla (2) MySQL (2) NoSQL (2) Raspberry Pi (2) Ruby (2) Security Tools (2) Syrian Electronic Army (2) Tricks and Tips (2) Valentine Day (2) Web Design (2) iOS (2) iPhone (2) jQwery (2) *nix (1) 2014 (1) 3D Modeling (1) Algorithm (1) Android Hacking (1) Android Pattern Lock Screen.. (1) Anonymous Mail (1) Anti-Spam (1) Apps (1) Arduino (1) Artificial Intelligance (1) Audio Software (1) BSD (1) BeAWARE (1) Bitcoin (1) Black Hat Hackers (1) BlackBerry (1) Buffer Overflow (1) C++ vs Java (1) CISO (1) Circuit Analysis (1) Circuit Design (1) Circuit Programming (1) Circuit Simulators (1) Codes (1) Crptology (1) Cryptanalysis (1) DDOS (1) Devlopers (1) Drupal (1) DuckDuckGo Search Engine (1) E-Card (1) E-Mails (1) Embedded System (1) Encryption Tools (1) Error (1) FTP (1) Famous Passwords (1) FileZilla (1) Flipkart (1) Forbes (1) Forgot Password (1) GCHQ (1) Genders (1) Gmail (1) Google Tricks and Trips (1) HTML (1) Hacking Distro (1) Hard Disk (1) Hash Encryption (1) Illegal (1) Internet (1) LAMP (1) Language Theory (1) LibreOffice (1) Linus Trovalds (1) Logic Gates (1) MATLAB (1) MOSFET (1) Mail (1) Mark Zuckerberg (1) Mathematical (1) MicroProcessor (1) Mind Mapping Tools (1) Myntra (1) NoSQL Database (1) Nobal Prize (1) Nokia (1) Object Oriented Programming (1) Office (1) Oldboot (1) Online (1) Paranoid Android (1) Passwords (1) Passwords Cracking Tools (1) PayPal (1) Perl Programming (1) Plugins (1) Prolog Programming (1) Python Basics (1) Remote (1) SEA (1) SQL Injection (1) Sans (1) Screencasts (1) Screenloggers (1) Server Load (1) Servers (1) Shell (1) Software Design (1) Software Developer (1) Software Testing (1) Sony (1) Spider.io (1) Statistical (1) Steve Jobs (1) TCP/IP (1) Timeline (1) Tor (1) Trojan (1) Ubuntu Phones (1) VAIO (1) Virus (1) Web Designers (1) Wi-Fi Hacking (1) Windows Tools (1) Windows XP (1) WordPress (1) XML (1) Yahoo (1) YouTube (1) cpp (1) eBay (1) iBanking (1)