Affected Application: Facebook.com Exploit Platform: Remote Impact: Full Access to Facebook profile Severity: High Author: Anand Pandey Email: anandkpandey1 (at) gmail (dot) com Video: http://www.youtube.com/watch?v=9CtxQxyEf40 ____________________________________________________________________
->Description: • Accessing Facebook account with just one single link and by passing all security mechanism implemented by Facebook for preventing unauthorised access and provide secure login to users. • No way to track the unauthorized access and to know that someone accessed your account. (Unless the intruder made some changes) ____________________________________________________________________ ->What it can do ? It has the power to by pass all the security machanisms applyied by Facebook. It will not require the username/password, won’t present you with Check point, will not track your location (so no geographical location based restrictions) and no login review for the user, user will not be presented with any notification that wheather the user or some one else has accessed his/her account, and most importantly, there will not be any active sessions created or listed, so you will have full access to those resources where password is not required (because you don’t have the password), and there is no way any one can track you, unless you make a mistake of changing the profile picture or scream loudly ? ____________________________________________________________________ ->How this link is generated? This link is generated by Facebook for those who have registered their cell phone on Facebook to receive the notification of activity on their accounts by SMS on phone. Facebook generates this link for the convenience of those mobile users, and send it via SMS. You will receive a notification from Facebook stating that XYZ have commented on your photo (with the comment made) and a direct link to that photo. So you will not have to login every time to view your photos for comment or for anything using that particular link. ____________________________________________________________________ ->What all notifications contain this link? • Comment made on your photo. • Comment on your link. • Comment made after you on a photo or a link. • Tagged you in photo. ____________________________________________________________________ ->What this link looks like and what does it contain? The link that you receive from the above mentioned notifications are all different and also have a history of change. So here we will discuss each of these with their examples. * Type 1 http://m.facebook.com/photo.php?pid=xxxxxx&id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx Now let us understand the links Here “m.facebook.com” shows that it’s a Facebook site for mobile users and “photo.php” shows it is something related to photos on Facebook. “pid” is the unique number assigned to that particular photo on which the comment is made or on which someone tagged you. “id” is the unique numeric user id associated to the user who commented on your photo or tagged you in, or we can say that this is the user id of the person due to whose action this notification is generated. “mlid” is the unique numeric user id of the account holder for whom the notification is generated. “l” is the 8 character long random combination of number, alphabets both in lower and upper caps, and this is the key to enter in the account, so we will call it the “key”. This is the link generated specially for the photos. It can be generated when someone is either tagging you in a photo, commenting on any photo uploaded by you, commenting on a photo after your comment. For this link to work there are two parameters required, the “mlid” and the “l”; rest anything can be any number or they even can be removed and this is true for all the links. * Type 2 http://m.facebook.com/story.php?share_id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx Here “m.facebook.com” shows that it’s a Facebook site for mobile users and “story.php” shows it is something related to share links on Facebook. “share_id” is the unique numeric id assigned to the link shared by you. “mlid” is the unique numeric user id of the account holder for whom the notification is generated. “l” is the 8 character long random combination of number, alphabets both in lower and upper caps, and this is the key to enter in the account, so we will call it the “key”. This is the link that is generated and sent to you by SMS when someone comments on the link shared by you. These above mentioned links are what Facebook used to send earlier, but as you know that these links will take more SMS space, so they implemented URL shortening feature to shorten these links and save some space and cost for SMS. So here we will understand how the shortened link looks like. * Type 3 http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy This is the shortened URL of “Type 1” link. “fb.me” is the domain used specially for the shortening feature of URLs by Facebook Here the series of “x” are the unique Facebook numeric user id of the user due to whose action this notification is generated. (“id” in the long URL of Type 1) And the series of “y” is the key (“l” from the long URL of Type 1) Here I want to bring your attention to the point that this link will not work, because when converted back to long URL it is missing an important parameter, i.e the “mlid”. * Type 4 http://fb.me/xxxxxxxxxxxxxx This is the shortened URL of “Type 2” link. Here the series of “x” are the 14 character random combination of numbers, alphabets both in lower and upper caps. And this link really works ? ____________________________________________________________________ ->What can be done? Here is what can be done with these links. If you want to target any user, then social engineering is the best technique to do so (other options being a great network of bots or fast techniques to brute force the key). What you need for that is the “mlid” (you can get this by just browsing to the profile page of that user and view the source to locate the username and assigned user number) and the key, “l” (this is where the problem lies). Now for the key, you have to either try all the possible combinations or use your social engineering tricks to get the key directly from the SMS of the user. Use your imagination. And if you want to target a random account then best thing will be to focus on type 4 link, because this is the link which does not contain any personalised contact info for any particular account, it is like a database with millions of direct links to millions of random user accounts. What can be done in this case is that you can brute force the random combination and harvest all possible direct links which is a massive issue and need to be catered to. One more thing that can be used is the malware for mobile phones, with the latest burst in the use of smart phones, including android, iphone, blackberry etc and the development of advance viruses and malware for these platforms. These malwares can be used to forward these particular SMSs or upload these directly online. ____________________________________________________________________ ->A little more information I reported about this issue to Facebook on 24th August, 2011. But the reply I got from them was an unexpected one. What they stated is that they are not taking any action on this issue as they have explicitly mentioned the social engineering technique as not acceptable and brute forcing the combination will take more than 20 years. At that time this key used to be active for two weeks. Means that you have two weeks to get the key before it changes and another key is assigned to that user. I submitted this for ClubHack (http://www.clubhack.com), one of the first Indian Hacker Conferences in its 5th year, and presented the same in the “ClubHack2011” Conference held on 3rd December, 2011 in Pune. On 5th December i.e two days after the presentation I again checked and found that the key that used to be active for two weeks now expires on single use, so once you use the link it will be of no use. But here is one of the important facts, and it is that most users do not use these links and the Type 3 link can never be used, so the key for this type and for the rest of unused link will not expire. This link is working on the date the advisory was drafted. Now the power is in your hands. ____________________________________________________________________ Timeline: ->Vulnerability discovered: 25th July 2011 ->Reported to vendor: 24th August 2011 via (facebook.com/whitehat) Waited for 10 days, no one responded ->Reported to vendor 2nd: 4th September 2011 ->Vendor responded (finally): 7th September 2011 Stating that they have explicitly mentioned social engineering as “not acceptable” on https://www.facebook.com/whitehat/bounty/ and brute forcing will take years to hit the right key. ->Replied to previous mail: 7th September 2011 With clarification and focus on hitting the URL shortening feature and waited for their response but got nothing. ->Replied 2nd attempt: 12th September 2011 Asked to confirm whether they are taking any action or not. ->Vendor replied: 14th September 2011 “We are taking no action as we dont consider this a serious threat. Thanks for contacting Facebook,” ->Presented in ClubHack2011: 3rd December 2011 ->Fix applied (noticed on): 5th December 2011 Facebook fixed it from changing the 2 weeks time for which the key used to be active by changing the key after every use. ->Advisory Published: 22 December 2011 ____________________________________________________________________ Disclaimer: The information contained in this advisory is believed to be accurate at the time of authoring, but no representation or warranty is given, express or implied, as to its accuracy or completeness. Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of or reliance placed on, this information for any purpose.
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/