Thursday 22 December 2011

Facebook Security bypassed with just one Link



Affected Application: Facebook.com
Exploit Platform: Remote
Impact: Full Access to Facebook profile
Severity: High
Author: Anand Pandey 
Email: anandkpandey1 (at) gmail (dot) com
Video: http://www.youtube.com/watch?v=9CtxQxyEf40
____________________________________________________________________


->Description:
• Accessing Facebook account with just one single link and by passing all security mechanism implemented by Facebook for preventing unauthorised access and provide secure login to users.
• No way to track the unauthorized access and to know that someone accessed your account. (Unless the intruder made some changes)
____________________________________________________________________


->What it can do ?
It has the power to by pass all the security machanisms applyied by Facebook. It will not require the username/password, won’t present you with Check point, will not track your location (so no geographical location based restrictions) and no login review for the user, user will not be presented with any notification that wheather the user or some one else has accessed his/her account, and most importantly, there will not be any active sessions created or listed, so you will have full access to those resources where password is not required (because you don’t have the password), and there is no way any one can track you, unless you make a mistake of changing the profile picture or scream loudly ?
____________________________________________________________________


->How this link is generated?
This link is generated by Facebook for those who have registered their cell phone on Facebook to receive the notification of activity on their accounts by SMS on phone. Facebook generates this link for the convenience of those mobile users, and send it via SMS. You will receive a notification from Facebook stating that XYZ have commented on your photo (with the comment made) and a direct link to that photo. So you will not have to login every time to view your photos for comment or for anything using that particular link.
____________________________________________________________________


->What all notifications contain this link?
• Comment made on your photo.
• Comment on your link.
• Comment made after you on a photo or a link.
• Tagged you in photo.
____________________________________________________________________


->What this link looks like and what does it contain?
The link that you receive from the above mentioned notifications are all different and also have a history of change. So here we will discuss each of these with their examples.


* Type  1
http://m.facebook.com/photo.php?pid=xxxxxx&id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx
Now let us understand the links
Here “m.facebook.com” shows that it’s a Facebook site for mobile users and “photo.php” shows it is something related to photos on Facebook.
“pid” is the unique number assigned to that particular photo on which the comment is made or on which someone tagged you.
“id” is the unique numeric user id associated to the user who commented on your photo or tagged you in, or we can say that this is the user id of the person due to whose action this notification is generated.
“mlid” is the unique numeric user id of the account holder for whom the notification is generated.
 “l” is the 8 character long random combination of number, alphabets both in lower and upper caps, and this is the key to enter in the account, so we will call it the “key”.


This is the link generated specially for the photos. It can be generated when someone is either tagging you in a photo, commenting on any photo uploaded by you, commenting on a photo after your comment.
For this link to work there are two parameters required, the “mlid” and the “l”; rest anything can be any number or they even can be removed and this is true for all the links.


* Type 2
http://m.facebook.com/story.php?share_id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx
Here “m.facebook.com” shows that it’s a Facebook site for mobile users and “story.php” shows it is something related to share links on Facebook.
“share_id” is the unique numeric id assigned to the link shared by you.
“mlid” is the unique numeric user id of the account holder for whom the notification is generated.
 “l” is the 8 character long random combination of number, alphabets both in lower and upper caps, and this is the key to enter in the account, so we will call it the “key”.
This is the link that is generated and sent to you by SMS when someone comments on the link shared by you.


These above mentioned links are what Facebook used to send earlier, but as you know that these links will take more SMS space, so they implemented URL shortening feature to shorten these links and save some space and cost for SMS.
So here we will understand how the shortened link looks like.


* Type 3
http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy
This is the shortened URL of “Type 1” link.
“fb.me” is the domain used specially for the shortening feature of URLs by Facebook
Here the series of “x” are the unique Facebook numeric user id of the user due to whose action this notification is generated.  (“id” in the long URL of Type 1)
And the series of “y” is the key (“l” from the long URL of Type 1)
Here I want to bring your attention to the point that this link will not work, because when converted back to long URL it is missing an important parameter, i.e the “mlid”.


* Type 4
http://fb.me/xxxxxxxxxxxxxx
This is the shortened URL of “Type 2” link.
Here the series of “x” are the 14 character random combination of numbers, alphabets both in lower and upper caps.
And this link really works ?
____________________________________________________________________


->What can be done?
Here is what can be done with these links.
If you want to target any user, then social engineering is the best technique to do so (other options being a great network of bots or fast techniques to brute force the key). What you need for that is the “mlid” (you can get this by just browsing to the profile page of that user and view the source to locate the username and assigned user number) and the key, “l” (this is where the problem lies).
Now for the key, you have to either try all the possible combinations or use your social engineering tricks to get the key directly from the SMS of the user. Use your imagination.
And if you want to target a random account then best thing will be to focus on type 4 link, because this is the link which does not contain any personalised contact info for any particular account, it is like a database with millions of direct links to millions of random user accounts. What can be done in this case is that you can brute force the random combination and harvest all possible direct links which is a massive issue and need to be catered to.
One more thing that can be used is the malware for mobile phones, with the latest burst in the use of smart phones, including android, iphone, blackberry etc and the development of advance viruses and malware for these platforms. These malwares can be used to forward these particular SMSs or upload these directly online.
____________________________________________________________________


->A little more information
I reported about this issue to Facebook on 24th August, 2011. But the reply I got from them was an unexpected one. What they stated is that they are not taking any action on this issue as they have explicitly mentioned the social engineering technique as not acceptable and brute forcing the combination will take more than 20 years. At that time this key used to be active for two weeks. Means that you have two weeks to get the key before it changes and another key is assigned to that user. 
I submitted this for ClubHack (http://www.clubhack.com), one of the first Indian Hacker Conferences in its 5th year, and presented the same in the “ClubHack2011” Conference held on 3rd December, 2011 in Pune. On 5th December i.e two days after the presentation I again checked and found that the key that used to be active for two weeks now expires on single use, so once you use the link it will be of no use. But here is one of the important facts, and it is that most users do not use these links and the Type 3 link can never be used, so the key for this type and for the rest of unused link will not expire. This link is working on the date the advisory was drafted. Now the power is in your hands.
____________________________________________________________________


Timeline:
->Vulnerability discovered:  25th July 2011
->Reported to vendor:  24th August 2011 via (facebook.com/whitehat)
Waited for 10 days, no one responded
->Reported to vendor 2nd: 4th September 2011
->Vendor responded (finally): 7th September 2011
Stating that they have explicitly mentioned social engineering as “not acceptable” on https://www.facebook.com/whitehat/bounty/  and brute forcing will take years to hit the right key.
->Replied to previous mail: 7th September 2011
With clarification and focus on hitting the URL shortening feature and waited for their response but got nothing.
->Replied 2nd attempt: 12th September 2011
Asked to confirm whether they are taking any action or not.
->Vendor replied: 14th September 2011
“We are taking no action as we dont consider this a serious threat.
Thanks for contacting Facebook,”
->Presented in ClubHack2011: 3rd December 2011
->Fix applied (noticed on): 5th December 2011
Facebook fixed it from changing the 2 weeks time for which the key used to be active by changing the key after every use.
->Advisory Published: 22 December 2011
____________________________________________________________________


Disclaimer:
The information contained in this advisory is believed to be accurate at the time of authoring, but no representation or warranty is given, express or implied, as to its accuracy or completeness.  Neither the author nor the publisher accepts any liability whatsoever for any direct, indirect or consequential loss or damage arising in any way from any use of or reliance placed on, this information for any purpose.


15 comments:

  1. Dude, I did not understand at all. Can i recover my locked account with your technique? What is all this for????

    ReplyDelete
    Replies
    1. Appy, This is a vulnerability in facebook that can be used to hack into multiple accounts, It can also help you only if you have registered your cellphone on facebook for receiving the notifications.

      Delete
  2. i didnt understand a word sorry my bad pls help me na my gmail : jeevanreddymandali@gmail.com pls chat me there

    ReplyDelete
  3. Hey , I have checkpoint and it's connected to my phone but I lost my phone will this help?

    ReplyDelete
  4. hi may faccebook account. a cannot open anymore. because facebook block me. can you help me? here's may username : Besthomebuycavite@hotmail.com.

    Thank much

    ReplyDelete
  5. Can I bypass using my PC instead of handphone?

    ReplyDelete
  6. I use facebook for online business, i not really know them: now they ask me to identify the tagged people....who can help me to skip this step

    ReplyDelete
  7. hey
    my facebook account is locked
    it asks ID cards, can I bypass it?
    I really need some information in it!
    heyhal58@yahoo.com

    ReplyDelete
  8. I still do not understand this very much but today I discovered something really weird that I would like someone to explain to me if possible. I occasionally check out an ex-friend's facebook page to see what she is up to as I don't trust her. She has a few personality disorders and my gut has just told me to keep an eye on her as she decided I was an enemy of hers for not allowing her to take advantage of me one more time and also becoming closer to a mutual friend of ours who also does not want anything to do with her anymore. I look at her page and there is a post that says, "Know Thyself" and a link that includes m.facebook.com. (I deactivated my account so I can't retrieve it right now) but I also noticed that the word google was imbedded in that URL as well. I clicked on it and much to my horror, I was able to see all my own facebook info, included a link to private messages, etc. All the stuff that would normally be in my news feed was on display as well. I changed my password and it still did showed up. I finally deactivated my account. She does have a cell phone whereby she can access facebook and I am wondering if she was stalking me again and got this info by some accidental bug through the facebook mobile code? I am also wondering if this is just some weird thing where any other person who might click on that link will see only their own info and not mine. It did not look like her account had been hacked at all as other posts of the type only she would post were posted the same day. Can someone tell me what the hell this was about? I can't find an answere and the only thing close I came up with is one of your descriptions but I am having a hard time understanding how this would happen. Thank you very much. (I am waiting for one friend I trust who has her on her list of friends to go and check it out for me and see what she finds.) Only friends of friends of her can see this. Thank you!

    ReplyDelete
    Replies
    1. Hey Kaylight
      I am also amazed how this can be possible,
      it will be great if you can share the link on mail, or any other detail which will help.
      As far as the mobile link is concerned, it is useful only for a day or 2.
      If you can also check that in your setting page, it might be possible that some number is registered and disable the notification setting.

      Delete
  9. Hey please i need help on my old account ... i would reallly appreciated thanks ...

    I had a phone that i used facebook with but now i dont have that phone because it is disconnected now ... i cant get it ... it says SECURITY CHECK PLEASE ENTER YOUR CONFIRMATION CODE WE HAVE SENT TO YOU.

    But i can't get the code since my phone got disconnected .

    PLEASE PLEASE PLEASE HELP IT WOULD REALLY BE APPRECIATED THANKS :)

    ReplyDelete
  10. my ex has hijacked my fb a/c and has set up login verifications and recognised device securities locking me out completely... she also has my old mobile phone and has changed any verifications to the old number that i have no access to as everything was changed into her name prior to me leaving her

    is there any way i can hack back in without her becoming aware through the sms and email verifications telling her 1. that someone has tried to login, and 2. login has occurred by an unrecognised device?

    thanks for any help you can give me

    the beanos

    ReplyDelete
  11. fatimaabbas_@yahoo.com.
    Can you please help me to reach for photo security check, where i can recognize all photos easily.
    Reply me back at
    daniyalyounis@gmail.com

    ReplyDelete
  12. Well Nice to see this post but unfortunately this method is not working anymore. You may check this now. Facebook Hacking tool 2016 100% Working

    ReplyDelete