Affected Application: Facebook.com
Exploit Platform: Remote
Impact: Full Access to Facebook profile
Severity: High
Author: Anand Pandey
Email: anandkpandey1 (at) gmail (dot) com
Video: http://www.youtube.com/watch?v=9CtxQxyEf40
____________________________________________________________________

->Description:
• Accessing Facebook account with just one single link and by passing all
security mechanism implemented by Facebook for preventing unauthorised
access and provide secure login to users.
• No way to track the unauthorized access and to know that someone accessed
your account. (Unless the intruder made some changes)
____________________________________________________________________

->What it can do ?
It has the power to by pass all the security machanisms applyied by
Facebook. It will not require the username/password, won’t present you with
Check point, will not track your location (so no geographical location
based restrictions) and no login review for the user, user will not be
presented with any notification that wheather the user or some one else has
accessed his/her account, and most importantly, there will not be any
active sessions created or listed, so you will have full access to those
resources where password is not required (because you don’t have the
password), and there is no way any one can track you, unless you make a
mistake of changing the profile picture or scream loudly ?
____________________________________________________________________

->How this link is generated?
This link is generated by Facebook for those who have registered their cell
phone on Facebook to receive the notification of activity on their accounts
by SMS on phone. Facebook generates this link for the convenience of those
mobile users, and send it via SMS. You will receive a notification from
Facebook stating that XYZ have commented on your photo (with the comment
made) and a direct link to that photo. So you will not have to login every
time to view your photos for comment or for anything using that particular
link.
____________________________________________________________________

->What all notifications contain this link?
• Comment made on your photo.
• Comment on your link.
• Comment made after you on a photo or a link.
• Tagged you in photo.
____________________________________________________________________

->What this link looks like and what does it contain?
The link that you receive from the above mentioned notifications are all
different and also have a history of change. So here we will discuss each
of these with their examples.

* Type  1
http://m.facebook.com/photo.php?pid=xxxxxx&id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx
Now let us understand the links
Here “m.facebook.com” shows that it’s a Facebook site for mobile users and
“photo.php” shows it is something related to photos on Facebook.
“pid” is the unique number assigned to that particular photo on which the
comment is made or on which someone tagged you.
“id” is the unique numeric user id associated to the user who commented on
your photo or tagged you in, or we can say that this is the user id of the
person due to whose action this notification is generated.
“mlid” is the unique numeric user id of the account holder for whom the
notification is generated.
 “l” is the 8 character long random combination of number, alphabets both
in lower and upper caps, and this is the key to enter in the account, so we
will call it the “key”.

This is the link generated specially for the photos. It can be generated
when someone is either tagging you in a photo, commenting on any photo
uploaded by you, commenting on a photo after your comment.
For this link to work there are two parameters required, the “mlid” and the
“l”; rest anything can be any number or they even can be removed and this
is true for all the links.

* Type 2
http://m.facebook.com/story.php?share_id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx
Here “m.facebook.com” shows that it’s a Facebook site for mobile users and
“story.php” shows it is something related to share links on Facebook.
“share_id” is the unique numeric id assigned to the link shared by you.
“mlid” is the unique numeric user id of the account holder for whom the
notification is generated.
 “l” is the 8 character long random combination of number, alphabets both
in lower and upper caps, and this is the key to enter in the account, so we
will call it the “key”.
This is the link that is generated and sent to you by SMS when someone
comments on the link shared by you.

These above mentioned links are what Facebook used to send earlier, but as
you know that these links will take more SMS space, so they implemented URL
shortening feature to shorten these links and save some space and cost for
SMS.
So here we will understand how the shortened link looks like.

* Type 3
http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy
This is the shortened URL of “Type 1” link.
“fb.me” is the domain used specially for the shortening feature of URLs by
Facebook
Here the series of “x” are the unique Facebook numeric user id of the user
due to whose action this notification is generated.  (“id” in the long URL
of Type 1)
And the series of “y” is the key (“l” from the long URL of Type 1)
Here I want to bring your attention to the point that this link will not
work, because when converted back to long URL it is missing an important
parameter, i.e the “mlid”.

* Type 4
http://fb.me/xxxxxxxxxxxxxx
This is the shortened URL of “Type 2” link.
Here the series of “x” are the 14 character random combination of numbers,
alphabets both in lower and upper caps.
And this link really works ?
____________________________________________________________________

->What can be done?
Here is what can be done with these links.
If you want to target any user, then social engineering is the best
technique to do so (other options being a great network of bots or fast
techniques to brute force the key). What you need for that is the “mlid”
(you can get this by just browsing to the profile page of that user and
view the source to locate the username and assigned user number) and the
key, “l” (this is where the problem lies).
Now for the key, you have to either try all the possible combinations or
use your social engineering tricks to get the key directly from the SMS of
the user. Use your imagination.
And if you want to target a random account then best thing will be to focus
on type 4 link, because this is the link which does not contain any
personalised contact info for any particular account, it is like a database
with millions of direct links to millions of random user accounts. What can
be done in this case is that you can brute force the random combination and
harvest all possible direct links which is a massive issue and need to be
catered to.
One more thing that can be used is the malware for mobile phones, with the
latest burst in the use of smart phones, including android, iphone,
blackberry etc and the development of advance viruses and malware for these
platforms. These malwares can be used to forward these particular SMSs or
upload these directly online.
____________________________________________________________________

->A little more information
I reported about this issue to Facebook on 24th August, 2011. But the reply
I got from them was an unexpected one. What they stated is that they are
not taking any action on this issue as they have explicitly mentioned the
social engineering technique as not acceptable and brute forcing the
combination will take more than 20 years. At that time this key used to be
active for two weeks. Means that you have two weeks to get the key before
it changes and another key is assigned to that user.
I submitted this for ClubHack (http://www.clubhack.com), one of the first
Indian Hacker Conferences in its 5th year, and presented the same in the
“ClubHack2011” Conference held on 3rd December, 2011 in Pune. On 5th
December i.e two days after the presentation I again checked and found that
the key that used to be active for two weeks now expires on single use, so
once you use the link it will be of no use. But here is one of the
important facts, and it is that most users do not use these links and the
Type 3 link can never be used, so the key for this type and for the rest of
unused link will not expire. This link is working on the date the advisory
was drafted. Now the power is in your hands.
____________________________________________________________________

Timeline:
->Vulnerability discovered: 25th July 2011
->Reported to vendor: 24th August 2011 via (facebook.com/whitehat)
Waited for 10 days, no one responded
->Reported to vendor 2nd: 4th September 2011
->Vendor responded (finally): 7th September 2011
Stating that they have explicitly mentioned social engineering as “not
acceptable” on https://www.facebook.com/whitehat/bounty/  and brute forcing
will take years to hit the right key.
->Replied to previous mail: 7th September 2011
With clarification and focus on hitting the URL shortening feature and
waited for their response but got nothing.
->Replied 2nd attempt: 12th September 2011
Asked to confirm whether they are taking any action or not.
->Vendor replied: 14th September 2011
“We are taking no action as we dont consider this a serious threat.
Thanks for contacting Facebook,”
->Presented in ClubHack2011: 3rd December 2011
->Fix applied (noticed on): 5th December 2011
Facebook fixed it from changing the 2 weeks time for which the key used to
be active by changing the key after every use.
->Advisory Published: 22 December 2011
____________________________________________________________________

Disclaimer:
The information contained in this advisory is believed to be accurate at
the time of authoring, but no representation or warranty is given, express
or implied, as to its accuracy or completeness.  Neither the author nor the
publisher accepts any liability whatsoever for any direct, indirect or
consequential loss or damage arising in any way from any use of or reliance
placed on, this information for any purpose.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Reply via email to