HI Geeks, Fortunately, Facebook provides a functionality called ?profile preview?, allowing users to see how their own profile appears to any other user. It can be accessed using the URL:http://www.facebook.com/profile.php?v=wall&viewas=<viewer_id>.
And this functionality has a bug. When the logged-in user allows anyone to comment on his wall (via his privacy settings), a form (at least) is given to allow users to comment on published posts. In such a case, when you fill the viewas parameter with the id of any user, the script returns - amongst other things - the post_form_id token of this very user, along with the form needed to comment on the wall. For example, setting your privacy settings adequately and going to http://www.facebook.com/profile.php?v=wall&viewas=4 will reveal the post_form_id token of Mark Zuckerberg. ;-) This bug can also be found on the ajax feed http://www.facebook.com/ajax/stream/profile.php?__a=1&profile_id= <user_id>&viewer_id=<victim_id>. Two drawbacks : first, you need the victim?s id to retrieve his/her post_form_id token. Then, you still need the second token fb_dtsg. The first problem is actually an easy to solve problem if you use a tiny CSRF flaw located on the mobile version m.facebook.com. Indeed, the ?like? script does not require any anti-CSRF token: you can use it in a CSRF attack to retrieve the name, and thus the id, of the victim. N.B. : when a user logs into the main site then he is logged on any mobile version as well, so everything is exploitable on the main version. The second problem could have been a serious problem if the Facebook team had not left us with the possibility to send friend requests without the fb_dtsg token on the touch version touch.facebook.com. We consider this as a flaw since a lot can be done once you are friend with the victim. We finish the description of the flaws with our last findings, two XSS flaws located on each mobile version of Facebook, namely m.facebook.com and touch.facebook.com. More precisely, the incriminated scripts are http://m.facebook.com/l.php?u=<external adress>&h=<hash> and http://touch.facebook.com/l_warn.php?u=<external adress>&h=<hash>, redirecting users to the provided external address. When one omits the h parameter, the script returns a warning including the external address, that is not correctly sanitized before being sent back. Here are two proof-of-concept URLs :http://m.facebook.com/l.php?u=http://ex.xss/<script>alert(?XSS?);</script> and http://touch.facebook.com/l_warn.php?u=http://ex.xss/ "<script>alert(?XSS?);</script> Cheers, 0xN41K -- You received this message because you are subscribed to the Google Groups "nforceit" group. To post to this group, send an email to [email protected]. To unsubscribe from this group, send email to [email protected]. For more options, visit this group at http://groups.google.com/group/nforceit?hl=en-GB.
