That's pretty sexy. Guess it's time for me to work on my FB account for a while.
Nice research. Aaron On Thu, Dec 22, 2011 at 4:02 AM, Anand Pandey <[email protected]> wrote: > > Affected Application: Facebook.com > Exploit Platform: Remote > Impact: Full Access to Facebook profile > Severity: High > Author: Anand Pandey > Email: anandkpandey1 (at) gmail (dot) com > Video: http://www.youtube.com/watch?v=9CtxQxyEf40 > ____________________________________________________________________ > > ->Description: > • Accessing Facebook account with just one single link and by passing all > security mechanism implemented by Facebook for preventing unauthorised > access and provide secure login to users. > • No way to track the unauthorized access and to know that someone accessed > your account. (Unless the intruder made some changes) > ____________________________________________________________________ > > ->What it can do ? > It has the power to by pass all the security machanisms applyied by > Facebook. It will not require the username/password, won’t present you with > Check point, will not track your location (so no geographical location based > restrictions) and no login review for the user, user will not be presented > with any notification that wheather the user or some one else has accessed > his/her account, and most importantly, there will not be any active sessions > created or listed, so you will have full access to those resources where > password is not required (because you don’t have the password), and there is > no way any one can track you, unless you make a mistake of changing the > profile picture or scream loudly ? > ____________________________________________________________________ > > ->How this link is generated? > This link is generated by Facebook for those who have registered their cell > phone on Facebook to receive the notification of activity on their accounts > by SMS on phone. Facebook generates this link for the convenience of those > mobile users, and send it via SMS. You will receive a notification from > Facebook stating that XYZ have commented on your photo (with the comment > made) and a direct link to that photo. So you will not have to login every > time to view your photos for comment or for anything using that particular > link. > ____________________________________________________________________ > > ->What all notifications contain this link? > • Comment made on your photo. > • Comment on your link. > • Comment made after you on a photo or a link. > • Tagged you in photo. > ____________________________________________________________________ > > ->What this link looks like and what does it contain? > The link that you receive from the above mentioned notifications are all > different and also have a history of change. So here we will discuss each of > these with their examples. > > * Type 1 > http://m.facebook.com/photo.php?pid=xxxxxx&id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx > Now let us understand the links > Here “m.facebook.com” shows that it’s a Facebook site for mobile users and > “photo.php” shows it is something related to photos on Facebook. > “pid” is the unique number assigned to that particular photo on which the > comment is made or on which someone tagged you. > “id” is the unique numeric user id associated to the user who commented on > your photo or tagged you in, or we can say that this is the user id of the > person due to whose action this notification is generated. > “mlid” is the unique numeric user id of the account holder for whom the > notification is generated. > “l” is the 8 character long random combination of number, alphabets both in > lower and upper caps, and this is the key to enter in the account, so we > will call it the “key”. > > This is the link generated specially for the photos. It can be generated > when someone is either tagging you in a photo, commenting on any photo > uploaded by you, commenting on a photo after your comment. > For this link to work there are two parameters required, the “mlid” and the > “l”; rest anything can be any number or they even can be removed and this is > true for all the links. > > * Type 2 > http://m.facebook.com/story.php?share_id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx > Here “m.facebook.com” shows that it’s a Facebook site for mobile users and > “story.php” shows it is something related to share links on Facebook. > “share_id” is the unique numeric id assigned to the link shared by you. > “mlid” is the unique numeric user id of the account holder for whom the > notification is generated. > “l” is the 8 character long random combination of number, alphabets both in > lower and upper caps, and this is the key to enter in the account, so we > will call it the “key”. > This is the link that is generated and sent to you by SMS when someone > comments on the link shared by you. > > These above mentioned links are what Facebook used to send earlier, but as > you know that these links will take more SMS space, so they implemented URL > shortening feature to shorten these links and save some space and cost for > SMS. > So here we will understand how the shortened link looks like. > > * Type 3 > http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy > This is the shortened URL of “Type 1” link. > “fb.me” is the domain used specially for the shortening feature of URLs by > Facebook > Here the series of “x” are the unique Facebook numeric user id of the user > due to whose action this notification is generated. (“id” in the long URL > of Type 1) > And the series of “y” is the key (“l” from the long URL of Type 1) > Here I want to bring your attention to the point that this link will not > work, because when converted back to long URL it is missing an important > parameter, i.e the “mlid”. > > * Type 4 > http://fb.me/xxxxxxxxxxxxxx > This is the shortened URL of “Type 2” link. > Here the series of “x” are the 14 character random combination of numbers, > alphabets both in lower and upper caps. > And this link really works ? > ____________________________________________________________________ > > ->What can be done? > Here is what can be done with these links. > If you want to target any user, then social engineering is the best > technique to do so (other options being a great network of bots or fast > techniques to brute force the key). What you need for that is the “mlid” > (you can get this by just browsing to the profile page of that user and view > the source to locate the username and assigned user number) and the key, “l” > (this is where the problem lies). > Now for the key, you have to either try all the possible combinations or use > your social engineering tricks to get the key directly from the SMS of the > user. Use your imagination. > And if you want to target a random account then best thing will be to focus > on type 4 link, because this is the link which does not contain any > personalised contact info for any particular account, it is like a database > with millions of direct links to millions of random user accounts. What can > be done in this case is that you can brute force the random combination and > harvest all possible direct links which is a massive issue and need to be > catered to. > One more thing that can be used is the malware for mobile phones, with the > latest burst in the use of smart phones, including android, iphone, > blackberry etc and the development of advance viruses and malware for these > platforms. These malwares can be used to forward these particular SMSs or > upload these directly online. > ____________________________________________________________________ > > ->A little more information > I reported about this issue to Facebook on 24th August, 2011. But the reply > I got from them was an unexpected one. What they stated is that they are not > taking any action on this issue as they have explicitly mentioned the social > engineering technique as not acceptable and brute forcing the combination > will take more than 20 years. At that time this key used to be active for > two weeks. Means that you have two weeks to get the key before it changes > and another key is assigned to that user. > I submitted this for ClubHack (http://www.clubhack.com), one of the first > Indian Hacker Conferences in its 5th year, and presented the same in the > “ClubHack2011” Conference held on 3rd December, 2011 in Pune. On 5th > December i.e two days after the presentation I again checked and found that > the key that used to be active for two weeks now expires on single use, so > once you use the link it will be of no use. But here is one of the important > facts, and it is that most users do not use these links and the Type 3 link > can never be used, so the key for this type and for the rest of unused link > will not expire. This link is working on the date the advisory was drafted. > Now the power is in your hands. > ____________________________________________________________________ > > Timeline: > ->Vulnerability discovered: 25th July 2011 > ->Reported to vendor: 24th August 2011 via (facebook.com/whitehat) > Waited for 10 days, no one responded > ->Reported to vendor 2nd: 4th September 2011 > ->Vendor responded (finally): 7th September 2011 > Stating that they have explicitly mentioned social engineering as “not > acceptable” on https://www.facebook.com/whitehat/bounty/ and brute forcing > will take years to hit the right key. > ->Replied to previous mail: 7th September 2011 > With clarification and focus on hitting the URL shortening feature and > waited for their response but got nothing. > ->Replied 2nd attempt: 12th September 2011 > Asked to confirm whether they are taking any action or not. > ->Vendor replied: 14th September 2011 > “We are taking no action as we dont consider this a serious threat. > Thanks for contacting Facebook,” > ->Presented in ClubHack2011: 3rd December 2011 > ->Fix applied (noticed on): 5th December 2011 > Facebook fixed it from changing the 2 weeks time for which the key used to > be active by changing the key after every use. > ->Advisory Published: 22 December 2011 > ____________________________________________________________________ > > Disclaimer: > The information contained in this advisory is believed to be accurate at the > time of authoring, but no representation or warranty is given, express or > implied, as to its accuracy or completeness. Neither the author nor the > publisher accepts any liability whatsoever for any direct, indirect or > consequential loss or damage arising in any way from any use of or reliance > placed on, this information for any purpose. > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
