Account Compromise though brute forcing FB disavowed link - Multiple Subdomains


Another bug in Facebook. This time on multiple subdomains of FB are found to be vulnerable to brute forcing.

Facebook is not limiting the attempts made to access disavowed page, resulting account take over by brute force.

Vulnerability Type : Missing rate limiting or anti automation measures
Vulnerable Service : Facebook Disavow
Vulnerable URL : https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY

Vulnerable Domains : All the following domains are found to be vulnerable with the same flaw.

  www.facebook.com
  www.beta.facebook.com
  m.facebook.com
  m.beta.facebook.com
  iphone.facebook.com
  developers.facebook.com
  lookaside.facebook.com

Attack Scenario :

Assume victim has forgot his/her password and used the forgot password feature to reset his/her account password. Now facebook will send a password reset confirmation mail, which contains a link for incase if the password was actually reset by any attacker. Users can use this link to gain access to the account which was believed to be already compromised by an attacker.

However this link is not having any rate limiting, which makes it possible for an attacker to brute force the victims disavowed feature, resulting to accoount compromise again.

steps to reproduce:
1. reset any facebook user account and facebook will send a mail to the users account which contains a link just like below.

https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY&l=en_US&ext=1462982490&hash=AS8kzJqt8UJNKrgI

2. Now try and brute force the parameter " n " to gain access to the victim's account. Note that params ext, hash are not getting validated. You can ignore them or remove them from the brute force requests.

ex: https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY

3. Once successfull brute force, application will redirect to a page where it will ask to secure the account by one of the available method.
ex: enter correct DOB or an photo ID. These information can be acquired by other measns such as accessing victim's profile before started attacking (assuming most people dont keep DOB private).

or

Any Photo ID will be accepted if it is not already set.

4. Once you complete the above step, victim's accoount will be successfully taken over by Attacker.

Impact :
Total FB account can be taken over. Or by successfull initiation of disavow process will hide the FB account from active FB accounts till the securing process is completed, there by causing a temporary blcoking.

Video POC :

However, the possibility of brute forcing is very less as the 'n' value takes alphabets with both upper and lower cases, which means the number of possible combinations is a bit high. But with a proper computational resources and time, it is possible to break the same.

Comments

  1. BB.29 October 2018 at 08:05

    I would like to thank you for such a good post
    First Expert 3ed Student's Resource Book without key

    ReplyDelete
  2. Melissa17 February 2019 at 18:02

    Hello everyone, I just got my Business instagram account verified, I am so happy I met Mr James. I saw a recommendation about him and I contacted him. He helped me in getting my account verified, he was trustworthy and reliable. If you need help in hacking or getting your instagram account verified, I suggest you contact him (worldcyberhackers) through Gmail or WhatsApp: +12678773020

    ReplyDelete
  3. Asthprash22 October 2019 at 23:00

    I would like to thank you for such a good post
    Asthprash supports regular elimination.
    www.asthprash.com

    ReplyDelete

Post a Comment

Popular posts from this blog

Multiple Vulnerabilities in eFront CMS v3.6.15.4

Image
Hi friends, I am back with Three stories Today. There are multiple critical bugs effecting the e-front, one of the Top 10 e-learing cms available, version 3.6.15.4 build 18023. The details are as follows. Directory Traversal       ( CVE : 2015-4461 ) Local File Inclusion      ( CVE : 2015-4462 ) Bypass for Blocked extension file uploads      ( CVE : 2015-4463 ) About the e-front:   E-front is one of the Top 10 e-learning cms available free on the market till date. A small description from the vendor's site: "The core of eFront is distributed as an open-source project. We have created a superior training product and we are not afraid to let you try it! The open-source edit of eFront will cover a wide range of your needs. If you are looking for a specialized solution then take a look at different efront editions ." The Issues are fixed as part of new release, efront v3.6.15.5 build 18024. You can find the change log here Point of the Story:  
Read more

Cross Site Scripting through callback functionality

Image
Hello Guys, Today i would like to share a Cross Site Scripting Vulnerability that was existing in JSON/AJAX callback functionality. I found this vulnerability a few days back, but as the bug is fixed now, i'd like to share the story. The vulnerability is existing in the forgot password functionality. The forgot password functionality uses an ajax based request/response mechanism within the login page. While testing the application, i observed that the application is using a callback function to render the response into the application. This callback function name is being passed as a GET parameter. With a little analysis, i found that the callback parameter is vulnerable to Cross Site Scripting vulnerability. So i extracted the forget password request and crafted a GET based URL request with a simple XSS payload as the callback value. https://www.DUMMY-WEBSITE.com/users/ajaxonforgotpassword.php?callback=<script>alert(document.cookie)</script>&l
Read more

How I could Delete Instagram Captions and Comments that are not mine,.....

Image
Its been a while since i published my last post. So, here i come with a write up for chaining of multiple issues in Facebook Acquisition - Instagram, that could allowed me to delete entire comments/captions from the Instagram DB . Instagram Web and mobile Applications For the first 2 hours or so, I could not find anything as each request is added with a signature and I am lazy enough not to understand/reverse the signature logic. So as usual, i was about the close my Mac and then, saw a request without signature. request without a signature Bingo..something to play around. so i started working on the request, trying to find most common bugs, like sqli,xss, csrf etc.. Then to cross verify a csrf issue, I used my browser. But to my surprise, in later requests in browser app, there is no signature at all, but of-course csrf issue is properly protected. So while testing with both the App and Browser together, I realised that there is an authorisation flaw in t
Read more