Facebook Critical Vulnerability Allowing Hacker to Gain Access to Any Facebook Account within a Minute
Dan Melamed, a security expert and analyst discovered his first vulnerability infacebook platform that allows an attacker to gain access to any user account and reset password with in a minute.
The vulnerability has been considered as critical as it can lead an attacker to hack any user account and access potential information related to user.
All the hacker has to do that when a user or victim is logged into his account he has to send him a website link, after the link has been loaded, the attacker will be able to reset victim’s password.
This security flaw exists in the “Claim Email Address” component of facebook.
The Proof of Concept has been provided on Dan Melamed Official Security blog.
When a user tries to add an email address that already exists in the Facebooksystem, they have the option to “claim it”. When claiming an email address,Facebook did not check who the request came from. This allows an email to be claimed on any Facebook account.
In order to exploit this, you need 2 Facebook accounts.
1. An account with the email address (that you want to claim) already added to it.
2. Another account to initiate the claim process.
For example:
When making a claim request for a @hotmail.com email, you are taken to a link that looks like this:
https://www.facebook.com/support/openid/proxy_hotmail.php?appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs
I found out that this parameter appdata[fbid] was the encrypted email address. For this demonstration, the encrypted email was “funnyluv196@hotmail.com”. The link will redirect you to the sign in page for Hotmail. You must sign in with the email address that matches the encrypted parameter. Once signed in, you are taken to a final link that looks like this:
https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026
Viewing the source code will show that the claim email process has succeeded:
- The link expires in around 3 hours, giving plenty of time for a hacker’s use.
- It can be visited on any Facebook account because there is no check to see who made this request.
All a hacker has to do is insert this link on a webpage as either an image or an iframe. Example:
http://evilsite.com/evilpage.html
Once clicked, the email (in this case: funnyluv196@hotmail.com) is instantly added to their Facebook account. The victim does not receive any notification whatsoever that this email has been added.
The hacker can then reset the victim’s password using the newly added email address. Thus allowing the attacker to take complete control over the Facebook account.
This vulnerability has been confirmed to be patched by the Facebook Security Team.
The vulnerability has been considered as critical as it can lead an attacker to hack any user account and access potential information related to user.
All the hacker has to do that when a user or victim is logged into his account he has to send him a website link, after the link has been loaded, the attacker will be able to reset victim’s password.
This security flaw exists in the “Claim Email Address” component of facebook.
The Proof of Concept has been provided on Dan Melamed Official Security blog.
When a user tries to add an email address that already exists in the Facebooksystem, they have the option to “claim it”. When claiming an email address,Facebook did not check who the request came from. This allows an email to be claimed on any Facebook account.
In order to exploit this, you need 2 Facebook accounts.
1. An account with the email address (that you want to claim) already added to it.
2. Another account to initiate the claim process.
For example:
When making a claim request for a @hotmail.com email, you are taken to a link that looks like this:
https://www.facebook.com/support/openid/proxy_hotmail.php?appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs
I found out that this parameter appdata[fbid] was the encrypted email address. For this demonstration, the encrypted email was “funnyluv196@hotmail.com”. The link will redirect you to the sign in page for Hotmail. You must sign in with the email address that matches the encrypted parameter. Once signed in, you are taken to a final link that looks like this:
https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026
Viewing the source code will show that the claim email process has succeeded:
<script type=”text/javascript”>window.opener.location.href = “\/claim_email\/add_email\/check_code?email=funnyluv196\u002540hotmail.com&openid=1″; window.close();</script>There were two important aspects which made this exploit simple.
- The link expires in around 3 hours, giving plenty of time for a hacker’s use.
- It can be visited on any Facebook account because there is no check to see who made this request.
All a hacker has to do is insert this link on a webpage as either an image or an iframe. Example:
<img src=”https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026″ width=”0″ height=”0″/>The victim is now sent a link
http://evilsite.com/evilpage.html
Once clicked, the email (in this case: funnyluv196@hotmail.com) is instantly added to their Facebook account. The victim does not receive any notification whatsoever that this email has been added.
The hacker can then reset the victim’s password using the newly added email address. Thus allowing the attacker to take complete control over the Facebook account.
This vulnerability has been confirmed to be patched by the Facebook Security Team.
0 comments:
Post a Comment