Opinion Tuesday #1: Hack Every Facebook Account!
Hello everyone! Today, I am starting a new series called "Opinion Tuesday". In this series, I will talk about a recent event within the technology/cybersecurity world, and I'll do that every Tuesday.
The point of this series is that we will all come together every Tuesday to discuss the subject I've selected. I've noticed that Null Byte has a lack of both active news articles (OTW's post about the Pentagon bounty hunt is the last one in like 1 month), and it also misses good discussions. That's a pity, because when we all come together and discuss a given subject, we can accomplish a lot! So with this series, I hope to change this. The general point of this series will be:
- A platform to learn about recent events.
- A playground for the community to come together and talk about the event.
I will post an article every Tuesday in this series. The articles will consist of 3 parts:
- The Rules. Only included in the first (this) article.
- The event. Here I will talk about the event.
- Phoenix's Opinion. Here, I'll give my opinion about the subject. Of course, you're allowed to disagree with me and have a discussion in the comments about it. I love discussions!
Now that you know what this series is about, let's talk about the rules.
1.) The community rules still apply!
2.) Do not swear! This one is VERY important! I've started this series in the hopes that the community can peacefully have a discussion in order to learn something out of it. Swearing to others only has a negative effect on the learning process. And thus, I don't want to see any offensive language in the comments!
3.) Bring over your opinion in a civilized manner. You're here to give your opinion about the subject. That's good, I mean, this series is called "Opinion Tuesday" after all, the entire point is that you give your opinion! But please, bring over your opinion in a polite and civilized manner! There's no need to be aggressive with your opinion. Doing so will only make you lose respect from the community.
4.) Discuss politely. You are allowed to disagree with someone. After all, this series is meant to have interesting discussions. But please, don't act aggressively against someone because he has a different opinion. So try to bring up a discussion in a respectful manner.
5.) If you know you were wrong, just admit it. This one is also very important. If you've started a discussion and you have been proven wrong by fact, then just admit it. Simple as that. If you can admit you're wrong, you'll not only gain the respect of the community, but you'll also learn something. And we're all here to learn after all, aren't we?
Summary: this series is meant to allow the community to have a nice chat and nice discussions about a given subject, but where everyone can feel safe to express their opinion. So just treat each other with respect, both newbie and leet, and we can have very interesting discussions from which we all can learn!
As you could've guessed by the title, today we're going to talk about an interesting event involving Facebook!
Yesterday, on March 7th 2016, a fellow white hat hacker named "Anand Prakash" had published a very significant vulnerability in Facebook's password recovery system.
When a user forgets his/her password on Facebook, they can request a 6 digit pin code to be sent to their phone number/email. The fact that it is 6 digits long means that it doesn't take that long to brute force, but Facebook is aware of this, and you get locked out after 11-12 failed attempts.
However, Anand discovered that this filter is not present on subdomains like beta.facebook.com, so he could have as many brute force attempts as he wants! He tested this method on his own account and was successful in resetting his own password.
If he wanted to, Anand could access anyone's private fotos, credit card info stored under the payment section, and much more!
Anand accomplished this brute force attack using Burp Suite, similar to the attack OTW demonstrated here.
Facebook recognized the vulnerability and claims to have fixed it, and Anand received 15.000 USD.
Anand had reported this vulnerability on 22 February 2016, and it was confirmed as fixed on 23rd of February 2016. His 15.000 USD was awarded on 2 March, 2016.
Here is a video demonstration of Anand performing the attack:
Well, this certainly is an interesting event. Especially the simplicity of the attack is intriguing. Instead of trying to bypass the filter present at the main Facebook domain, Anand looked at a different domain and discovered that the filter wasn't present there. A simple, but highly effective attack!
Another thing that springs to mind: is Facebook still vulnerable? Anand only looked at the beta.facebook.com domain, but a quick scan I just did revealed at least 126 subdomains! Maybe the TOR version of Facebook is still vulnerable to this attack? Facebook's network is huge, and I'm pretty certain that if one looks long enough, they could find another subdomain which doesn't have the filter enabled!
What about other social media? Could they be vulnerable too to a similar attack? I think they can be. Social media like twitter also have huge subdomain networks. If we look long enough, I too believe we could find subdomains vulnerable to a similar attack!
That is it for my opinion on the subject! What is your opinion on the subject? Comment it down below! I'm really curious what you guys have to say, both newbie and leet!
See you next tuesday! And don't forget to comment your opinion in the comments, because that's the entire point of this series!