Affected Application: Facebook.com
Exploit Platform: Remote
Impact: Full Access to Facebook profile
Severity: High
Author: Anand Pandey
Email: anandkpandey1 (at) gmail (dot) com
Video: http://www.youtube.com/watch?v=9CtxQxyEf40
-Description:
• Accessing Facebook account with just one single link and by passing all
security mechanism implemented by Facebook for preventing unauthorised
access and provide secure login to users.
• No way to track the unauthorized access and to know that someone accessed
your account. (Unless the intruder made some changes)
-What it can do ?
It has the power to by pass all the security machanisms applyied by
Facebook. It will not require the username/password, won’t present you with
Check point, will not track your location (so no geographical location
based restrictions) and no login review for the user, user will not be
presented with any notification that wheather the user or some one else has
accessed his/her account, and most importantly, there will not be any
active sessions created or listed, so you will have full access to those
resources where password is not required (because you don’t have the
password), and there is no way any one can track you, unless you make a
mistake of changing the profile picture or scream loudly ?
-How this link is generated?
This link is generated by Facebook for those who have registered their cell
phone on Facebook to receive the notification of activity on their accounts
by SMS on phone. Facebook generates this link for the convenience of those
mobile users, and send it via SMS. You will receive a notification from
Facebook stating that XYZ have commented on your photo (with the comment
made) and a direct link to that photo. So you will not have to login every
time to view your photos for comment or for anything using that particular
link.
-What all notifications contain this link?
• Comment made on your photo.
• Comment on your link.
• Comment made after you on a photo or a link.
• Tagged you in photo.
-What this link looks like and what does it contain?
The link that you receive from the above mentioned notifications are all
different and also have a history of change. So here we will discuss each
of these with their examples.
* Type 1
http://m.facebook.com/photo.php?pid=xxid=mlid=xxl=
Now let us understand the links
Here “m.facebook.com” shows that it’s a Facebook site for mobile users and
“photo.php” shows it is something related to photos on Facebook.
“pid” is the unique number assigned to that particular photo on which the
comment is made or on which someone tagged you.
“id” is the unique numeric user id associated to the user who commented on
your photo or tagged you in, or we can say that this is the user id of the
person due to whose action this notification is generated.
“mlid” is the unique numeric user id of the account holder for whom the
notification is generated.
“l” is the 8 character long random combination of number, alphabets both
in lower and upper caps, and this is the key to enter in the account, so we
will call it the “key”.
This is the link generated specially for the photos. It can be generated
when someone is either tagging you in a photo, commenting on any photo
uploaded by you, commenting on a photo after your comment.
For this link to work there are two parameters required, the “mlid” and the
“l”; rest anything can be any number or they even can be removed and this
is true for all the links.
* Type 2
http://m.facebook.com/story.php?share_id=mlid=xxl=
Here “m.facebook.com” shows that it’s a Facebook site for mobile users and
“story.php” shows it is something related to share links on Facebook.
“share_id” is the unique numeric id assigned to the link shared by you.
“mlid” is the unique numeric user id of the account holder for whom the
notification is generated.
“l” is the 8 character long random combination of number, alphabets both
in lower and upper caps, and this is the key to enter in the account, so we
will call it the “key”.
This is the link that is generated and sent to you by SMS when someone
comments on the link shared by you.
These above mentioned links are what Facebook used to send earlier, but as
you know that these links will take more SMS space, so they implemented URL
shortening feature to shorten these links and save some space and cost for
SMS.
So here we will understand how the shortened link looks like.
* Type 3
http://fb.me/p/xxx.
This is the shortened URL of “Type 1” link.
“fb.me” is the domain used specially for the shortening feature of URLs
