Wednesday, 4 January 2017

Account Compromise though brute forcing FB disavowed link - Multiple Subdomains


Another bug in Facebook. This time on multiple subdomains of FB are found to be vulnerable to brute forcing.

Facebook is not limiting the attempts made to access disavowed page, resulting account take over by brute force.

Vulnerability Type : Missing rate limiting or anti automation measures
Vulnerable Service : Facebook Disavow
Vulnerable URL : https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY

Vulnerable Domains : All the following domains are found to be vulnerable with the same flaw.

  www.facebook.com
  www.beta.facebook.com
  m.facebook.com
  m.beta.facebook.com
  iphone.facebook.com
  developers.facebook.com
  lookaside.facebook.com

Attack Scenario :

Assume victim has forgot his/her password and used the forgot password feature to reset his/her account password. Now facebook will send a password reset confirmation mail, which contains a link for incase if the password was actually reset by any attacker. Users can use this link to gain access to the account which was believed to be already compromised by an attacker.

However this link is not having any rate limiting, which makes it possible for an attacker to brute force the victims disavowed feature, resulting to accoount compromise again.

steps to reproduce:
1. reset any facebook user account and facebook will send a mail to the users account which contains a link just like below.

https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY&l=en_US&ext=1462982490&hash=AS8kzJqt8UJNKrgI

2. Now try and brute force the parameter " n " to gain access to the victim's account. Note that params ext, hash are not getting validated. You can ignore them or remove them from the brute force requests.

ex: https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY

3. Once successfull brute force, application will redirect to a page where it will ask to secure the account by one of the available method.
ex: enter correct DOB or an photo ID. These information can be acquired by other measns such as accessing victim's profile before started attacking (assuming most people dont keep DOB private).

or

Any Photo ID will be accepted if it is not already set.

4. Once you complete the above step, victim's accoount will be successfully taken over by Attacker.

Impact :
Total FB account can be taken over. Or by successfull initiation of disavow process will hide the FB account from active FB accounts till the securing process is completed, there by causing a temporary blcoking.

Video POC :

However, the possibility of brute forcing is very less as the 'n' value takes alphabets with both upper and lower cases, which means the number of possible combinations is a bit high. But with a proper computational resources and time, it is possible to break the same.

No comments:

Post a Comment