Friday, 14 June 2013

Hacking Any Facebook Account Exploit POC

This is my first documented Facebook vulnerability. I have a couple other vulnerabilities which I will be disclosing once they are patched by the Facebook security team. 

A critical vulnerability exists in Facebook that would allow a hacker to easily take complete control over any Facebook account. If the victim is logged into Facebook, all a hacker has to do is get the victim to visit a website link. Once the link has loaded, the attacker is able to reset the victim's password.

The vulnerability exists in the "claim email address" component of Facebook.

When a user tries to add an email address that already exists in the Facebook system, they have the option to "claim it".

When claiming an email address, Facebook did not check who the request came from. This allows an email to be claimed on any Facebook account.

In order to exploit this, you need 2 Facebook accounts.
1. An account with the email address (that you want to claim) already added to it.
2. Another account to initiate the claim process.

For example:

When making a claim request for a @hotmail.com email, you are taken to a link that looks like this:
https://www.facebook.com/support/openid/proxy_hotmail.php?appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs

Updated (July 16th):
--------------------------------------------------------------------------------------------------
Some people asked me to clarify how I got the link above, so I've added 2 new visuals below:

After the exploit was fully patched, here is what happens when you try to claim an email:


Now since I did not take a screenshot of the claim process before the patch, I will provide an edited image of what the Claim popup dialog looked like: (its not exact):

Clicking on the "Claim" button would automatically redirect you to the link above
--------------------------------------------------------------------------------------------------

I found out that this parameter appdata[fbid] was the encrypted email address. For this demonstration, the encrypted email was "funnyluv196@hotmail.com". The link will redirect you to the sign in page for Hotmail. You must sign in with the email address that matches the encrypted parameter. Once signed in, you are taken  to a final link that looks like this:
https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026

Viewing the source code will show that the claim email process has succeeded:
<script type="text/javascript">window.opener.location.href = "\/claim_email\/add_email\/check_code?email=funnyluv196\u002540hotmail.com&openid=1"; window.close();</script>
There were two important aspects which made this exploit simple.
- The link expires in around 3 hours, giving plenty of time for a hacker's use.
- It can be visited on any Facebook account because there is no check to see who made this request.

All a hacker has to do is insert this link on a webpage as either an image or an iframe. Example:
<img src="https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026" width="0" height="0"/>
 The victim is now sent a link
http://evilsite.com/evilpage.html

Once clicked, the email (in this case: funnyluv196@hotmail.com) is instantly added to their Facebook account. The victim does not receive any notification whatsoever that this email has been added.

The hacker can then reset the victim's password using the newly added email address. Thus allowing the attacker to take complete control over the Facebook account.

This vulnerability has been confirmed to be patched by the Facebook Security Team.

Video Demonstration Below:
(HD option is available.)

~Dan Melamed

13 comments:

  1. how did u decrypt the code? n what kinda encryption is that?

    ReplyDelete
    Replies
    1. I never decrypted the fbid parameter. When I attempt to add an email address that already belongs to another facebook account, a popup shows up asking me if I want to "claim it", clicking on that would generate the fbid parameter inside that link and you'de go on from there.

      Delete
    2. Can You Pls explain me How did u get this link..??? https://www.facebook.com/support/openid/proxy_hotmail.php?appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs

      Delete
  2. as you can to send this link to victim? as I put my email?

    ReplyDelete
    Replies
    1. once you have the final link you can send it to anyone and it'll add your email to their account. But please remember that this is already been patched.

      Delete
  3. how do I make the request for complaint to the email?

    ReplyDelete
  4. Critical Facebook vulnerability allows account hacking
    http://www.dan-melamed.com/2013/06/hacking-any-facebook-account-exploit-poc.html

    ReplyDelete
  5. how to generate this link...

    https://www.facebook.com/support/openid/proxy_hotmail.php?appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs


    or its just for copy and paste?

    ReplyDelete
    Replies
    1. I've explained this in one of the comments posted on my YouTube video.

      Delete
  6. Friend but the method works yet or already corrected this error facebook

    ReplyDelete
  7. It is already patched? so we are wasting our time trying it right?

    ReplyDelete
  8. Hi Dan, thanks for sharing the details of this flaw.

    As far as I can see, Facebook uses Hotmail's API in the claiming process and I am wondering how much this has to do with the vulnerability. What can you say about this point? Have you tried with non hotmail email addresses?

    ReplyDelete
    Replies
    1. Yes, the other two vulnerable addresses were Gmail and Yahoo. But both of them used an openid link which was vulnerable to CSRF too. But that issue was fixed before I was able to record a video. So for simplicity, I wrote about the hotmail flaw.

      Delete

About Me

My Photo
My name is Dan Melamed, I'm a security researcher, web developer, self-employed internet marketer, and entrepreneur with great ideas to share with the world. I was recently featured on Facebook's Whitehat page: http://facebook.com/whitehat/thanks/ You can follow me on twitter @danmelamed

Contact

Media Inquiries:
press.danm@gmail.com

Questions or Comments
general.danm@gmail.com