Header Banner
Null Byte Logo
Null Byte
wonderhowto.mark.png
Cyber Weapons Lab Forum Metasploit Basics Facebook Hacks Password Cracking Top Wi-Fi Adapters Wi-Fi Hacking Linux Basics Mr. Robot Hacks Hack Like a Pro Forensics Recon Social Engineering Networking Basics Antivirus Evasion Spy Tactics MitM Advice from a Hacker

How to Bypass Facebook's HSTS

Mar 9, 2016 01:47 PM
Mar 9, 2016 02:08 PM
"How to Bypass Facebook's HSTS" cover image

Hey everyone, this will be a quick post.

Facebook does not use HTTP Strict Transport Security (A header that tells the browser to only use HTTPS when communicating with the server) on subdomains of facebook.com. That means, if someone uses facebook in a different language, the browser will attempt to connect using HTTP first. An attacker can intercept that request and serve a different page, including a fake login one.

Here are a few images showing the process of stealing a victim's password:

Here's an example of someone accessing facebook.pl:

How to Bypass Facebook's HSTS

facebook.pl redirects to pl-pl.facebook.com, which is a subdomain of facebook.com. HTTP 301 means the page was moved, and the new location is given. In this case we are redirected to https://pl-pl.facebook.com, and attackers can no longer see data being sent.

If subdomains of facebook used HSTS, the browser would connect over HTTPS automatically, without needing a redirect.

Here, we are responding to a request for pl-pl.facebook.com with the contents of example.com:

How to Bypass Facebook's HSTS

The address bar still shows pl-pl.facebook.com, so the victim is none the wiser.

If we copy the facebook login page and put it on example.com:

How to Bypass Facebook's HSTS

...The victim is likely to log in, and the input is sent over HTTP.

If you live in an english-speaking country, the hard part will be to get your victim to connect to some subdomain of facebook.com. Otherwise, exploitation of this is trivial.

Feel free to ask in the comments about details, I was in a bit of a rush writing this.

The next big software update for iPhone is coming sometime in April and will include a Food section in Apple News+, an easy-to-miss new Ambient Music app, Priority Notifications thanks to Apple Intelligence, and updates to apps like Mail, Photos, Podcasts, and Safari. See what else is coming to your iPhone with the iOS 18.4 update.

Related Articles

Comments

No Comments Exist

Be the first, drop a comment!