ImaFia - Moving Security Forward: FOUND FACEBOOK VULNERABILITY - ImaFia - Moving Security Forward

Jump to content


Welcome to ImaFia - Moving Security Forward

Welcome to ImaFia - Moving Security Forward, like most online communities you must register to view or post in our community, but don't worry this is a simple free process that requires minimal information. Take advantage of it immediately, Register Now or Sign In.

  • Start new topics and reply to others
  • Subscribe to topics and forums to get automatic updates
  • Add events to our community calendar
  • Get your own profile and make new friends
  • Customize your experience here

Toggle shoutbox Shoutbox

caocao Icon : (21 May 2012 - 07:05 PM) bro :)
MrKrahoz Icon : (21 May 2012 - 06:54 PM) Y_Y
MrKrahoz Icon : (21 May 2012 - 06:54 PM) were banned
MrKrahoz Icon : (21 May 2012 - 06:54 PM) almost all links
MrKrahoz Icon : (21 May 2012 - 06:54 PM) lol
pervmann2000 Icon : (21 May 2012 - 06:39 PM) Will check um out later today LB...allready a big thanks in advance for the MPL postings...
SYNTOX Icon : (21 May 2012 - 04:19 PM) no idea why it says june, it should say 2 months from when i extended it which i think was 2 months ago
Shifting_Locust Icon : (21 May 2012 - 03:23 PM) ow hey Syntox, I dunno man, it just says till 24th of june
SYNTOX Icon : (21 May 2012 - 02:59 PM) wasnt it about 2 months ago that we gave you 2 months to make the banner?
Shifting_Locust Icon : (21 May 2012 - 01:22 PM) yeh, I'll do that askinner, thanks; It happened before, so no problem really; just thought he or someone with those powers was online here.
askinner Icon : (21 May 2012 - 01:20 PM) Your profile show you as a standard member. You will need to contact immortal if you believe this is not correct.
Shifting_Locust Icon : (21 May 2012 - 01:19 PM) it says VIP - package 1 till june 24th
Shifting_Locust Icon : (21 May 2012 - 01:18 PM) sort of; I initially payed for a month; and then I got extra time for creating the current contest banner
askinner Icon : (21 May 2012 - 01:17 PM) You are not a VIP. Did you subscription expire?
Shifting_Locust Icon : (21 May 2012 - 01:17 PM) so no HQ for VIP - package 1?
askinner Icon : (21 May 2012 - 01:16 PM) You are no longer VIP
Shifting_Locust Icon : (21 May 2012 - 01:04 PM) My requests closed as well
Shifting_Locust Icon : (21 May 2012 - 01:03 PM) I can't see the HQ passes link anymore; can someone help me with that?
reddriver Icon : (21 May 2012 - 12:48 PM) good job LB :cool:
reddriver Icon : (21 May 2012 - 12:48 PM) I saw it now :wink:
Resize Shouts Area

Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic
FOUND FACEBOOK VULNERABILITY passwd hack

#1 User is offline   darkelf Icon

  • ImaFia City Guard
  • PipPip
  • Group: Member
  • Posts: 157
  • Joined: 03-March 08
  • Gender:Male

Posted 16 January 2012 - 07:14 AM

Hi, I found a facebook vulnerability from a Turk guy.. the vulnerability is that if you use a domain level other than www.facebook.com (Example x.facebook.com) the information is handled otherwise and one could TAMPER THE EMAIL AUTH DATA to send the confirmation email to the attackers emails and this link-page doesn't check for previous passwords so one could change the password and log in without any further due.

But the attacker must know the victims email address and the worst of all is that they have updated this function since new year so that the handlers maybe? check the token packets twice, I need some help more people = more changes to crack something, they changed the GET function from what I understand and they changed the confirmation script url to hex code?..

This vulnerability isn't popular at all .. so I'm thinking that they didn't mind to sanitize the code enough to prevend further exploits.


REFERER:	http://x.facebook.com/recover?cuid=AYgN0SgNxgW2gyg-8HgNZ53Cvj5RdK7V7-XXXn_GIk-TYiDlcPthoxSUA-P2d81d7rqGaa_N42VBzYzpaguuGBazBPUUoyGDUBD7YYkhoRNm37SUrL9LvhRh-FX6PetxpYpd5huCZD3c4_RXWhu_hDp0l1n7PEICkppMSK1-gxLFmw&refsrc=http%3A%2F%2Fx.facebook.com%2Frecover&refid=0&_rdr
COOKIE:	datr=RBsUT7FrOTTh_8JqLs5WYnke; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; lsd=LOuM6; m_ts=1326719401; L=2; reg_fb_ref=http%3A%2F%2Fx.facebook.com%2Frecover%3Fcuid%3DAYg4ZfAfedOw7TT_BUj6hKdk1zZTnHulCYjbO8yNLQMQNN6sAflr0uctssfHlsx8M4nM-Fpgn_VuyCM4r7OkEwTjxFiCVAjEOkA9C3T0ZC4Q1PhtfbSjX5ozNgR9M2Xp6IZD4uVzWmS4ifRACfyEDlSvI31zlKV9-1RDdbqRR7Gxiw%26s%3D100%26referer%3Dhttp%253A%252F%252Fx.facebook.com%252Flogin%252Fhelp%252Fidentify%252F%253Fselect_user_url%253D%25252Frecover%2526no_selection_url%253D%25252Fhelp%25252Fcontact.php%25253Fshow_form%25253Dcannot_identify%252526flow%25253Dpw_reset%2526instructions%253Dpassword_reset%2526flow%253Dpw_reset%2526skip_confirmation%253D1%2526refid%253D0%26refid%3D0; W=1326719429; i_id=%3Aasync_conf; sfiu=AYhFUajIX5kqTZc4rD5zdb5Ri7DaNwTXI0okem5R-8UeD17DcmskH82_T89aX8PrCFSchy0rfasQlU4nbt-1CRfrR3ITeCNhsM6_ge-RxD6wf1xR-I2H2JV9LHGy_BeOF0sKEiAr7uQtPaG6T16bhfUli3ggj7NTKkJ4EsRLAEBVFw
	
	
	
	
LSD:	LOuM6
POSTID:	cda97d47228e889ffc3bd811513b4a0e
CHARSET:	%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84
EMAIL AUTH:	AYgQ7G_APrmuZFhmHzRx5PFD-WW8O6R4jOb0-I_tJn0FWcR1EvW3aPid6Fj90fGc2D1FuyiFdisBX8SnL5jYjvZ6
CONFIRMATION (do_send_code):	%CE%95%CF%80%CE%B1%CE%BD%CE%B1%CF%86%CE%BF%CF%81%CE%AC+%CE%BA%CF%89%CE%B4%CE%B9%CE%BA%CE%BF%CF%8D+%CF%80%CF%81%CF%8C%CF%83%CE%B2%CE%B1%CF%83%CE%B7%CF%82
	%CE%95%CF%80%CE%B1%CE%BD%CE%B1%CF%86%CE%BF%CF%81%CE%AC+%CE%BA%CF%89%CE%B4%CE%B9%CE%BA%CE%BF%CF%8D+%CF%80%CF%81%CF%8C%CF%83%CE%B2%CE%B1%CF%83%CE%B7%CF%82


Before they patch it you could pretend that you are the victim asking to reset the password using email and when you send the data over change the victims EMAIL AUTH TOKEN with the attacker EMAIL AUTH TOKEN and the link would be sent to the attackers email so he could change the password. They don't check anything else if one could get a hold of this link he could steal the victims account.

Don't leech.


EDIT:

They are using dynamic cookies .. this must be what they have changed. If someone wants to work on this..post here your findings.

If one finds it it's going private.
0

#2 User is offline   darkelf Icon

  • ImaFia City Guard
  • PipPip
  • Group: Member
  • Posts: 157
  • Joined: 03-March 08
  • Gender:Male

Posted 16 January 2012 - 07:39 AM

UPDATE: I thought that if they didn't use dynamic cookies before on x.facebook.com how about testing other domain levels *.facebook.com for the same vulnerability and I know that most mobiles browsers don't use dynamic cookies and I remember if I log from an old mobile they use a different code from scratch not only different layout because the old mobile browsers have compatibility issues.

1.
Use the mobiles HTTP REFERRER ?? emulate mobile environment?? How about WAN traffic it's different from GPRS..

2.
Change mobiles OS and tamper data from it! ( I know about booting a mobile with backtrack but the WIFI doesn't work yet. )

This thead is going to other forums as well because I don't see many people here. :P Peace!
0

#3 User is offline   immortal Icon

  • God Father
  • PipPipPipPipPipPipPipPipPipPip
  • Group: System Administrator
  • Posts: 5,467
  • Joined: 19-December 05
  • Gender:Male

Awards Bar:

Users Awards

Posted 17 January 2012 - 08:18 PM

if i get a chance i will look into this tomorrow
0

Share this topic:


Page 1 of 1
  • You cannot start a new topic
  • You cannot reply to this topic

1 User(s) are reading this topic
0 members, 1 guests, 0 anonymous users


  • Time Now: May 21 2012 07:34 PM