Opinion Tuesday #1: Hack Every Facebook Account!

Hack Every Facebook Account!

Hello everyone! Today, I am starting a new series called "Opinion Tuesday". In this series, I will talk about a recent event within the technology/cybersecurity world, and I'll do that every Tuesday.

The point of this series is that we will all come together every Tuesday to discuss the subject I've selected. I've noticed that Null Byte has a lack of both active news articles (OTW's post about the Pentagon bounty hunt is the last one in like 1 month), and it also misses good discussions. That's a pity, because when we all come together and discuss a given subject, we can accomplish a lot! So with this series, I hope to change this. The general point of this series will be:

  • A platform to learn about recent events.
  • A playground for the community to come together and talk about the event.

I will post an article every Tuesday in this series. The articles will consist of 3 parts:

  • The Rules. Only included in the first (this) article.
  • The event. Here I will talk about the event.
  • Phoenix's Opinion. Here, I'll give my opinion about the subject. Of course, you're allowed to disagree with me and have a discussion in the comments about it. I love discussions!

Now that you know what this series is about, let's talk about the rules.

The Rules

1.) The community rules still apply!

2.) Do not swear! This one is VERY important! I've started this series in the hopes that the community can peacefully have a discussion in order to learn something out of it. Swearing to others only has a negative effect on the learning process. And thus, I don't want to see any offensive language in the comments!

3.) Bring over your opinion in a civilized manner. You're here to give your opinion about the subject. That's good, I mean, this series is called "Opinion Tuesday" after all, the entire point is that you give your opinion! But please, bring over your opinion in a polite and civilized manner! There's no need to be aggressive with your opinion. Doing so will only make you lose respect from the community.

4.) Discuss politely. You are allowed to disagree with someone. After all, this series is meant to have interesting discussions. But please, don't act aggressively against someone because he has a different opinion. So try to bring up a discussion in a respectful manner.

5.) If you know you were wrong, just admit it. This one is also very important. If you've started a discussion and you have been proven wrong by fact, then just admit it. Simple as that. If you can admit you're wrong, you'll not only gain the respect of the community, but you'll also learn something. And we're all here to learn after all, aren't we?

Summary: this series is meant to allow the community to have a nice chat and nice discussions about a given subject, but where everyone can feel safe to express their opinion. So just treat each other with respect, both newbie and leet, and we can have very interesting discussions from which we all can learn!

The Event

As you could've guessed by the title, today we're going to talk about an interesting event involving Facebook!

Yesterday, on March 7th 2016, a fellow white hat hacker named "Anand Prakash" had published a very significant vulnerability in Facebook's password recovery system.

When a user forgets his/her password on Facebook, they can request a 6 digit pin code to be sent to their phone number/email. The fact that it is 6 digits long means that it doesn't take that long to brute force, but Facebook is aware of this, and you get locked out after 11-12 failed attempts.

However, Anand discovered that this filter is not present on subdomains like beta.facebook.com, so he could have as many brute force attempts as he wants! He tested this method on his own account and was successful in resetting his own password.

If he wanted to, Anand could access anyone's private fotos, credit card info stored under the payment section, and much more!

Anand accomplished this brute force attack using Burp Suite, similar to the attack OTW demonstrated here.

Facebook recognized the vulnerability and claims to have fixed it, and Anand received 15.000 USD.

Image via blogspot.com

Anand had reported this vulnerability on 22 February 2016, and it was confirmed as fixed on 23rd of February 2016. His 15.000 USD was awarded on 2 March, 2016.

Here is a video demonstration of Anand performing the attack:

Sources: http://www.anandpraka.sh/2016/03/how-i-could-have-hacked-your-facebook.html

Phoenix's Opinion

Well, this certainly is an interesting event. Especially the simplicity of the attack is intriguing. Instead of trying to bypass the filter present at the main Facebook domain, Anand looked at a different domain and discovered that the filter wasn't present there. A simple, but highly effective attack!

Another thing that springs to mind: is Facebook still vulnerable? Anand only looked at the beta.facebook.com domain, but a quick scan I just did revealed at least 126 subdomains! Maybe the TOR version of Facebook is still vulnerable to this attack? Facebook's network is huge, and I'm pretty certain that if one looks long enough, they could find another subdomain which doesn't have the filter enabled!

What about other social media? Could they be vulnerable too to a similar attack? I think they can be. Social media like twitter also have huge subdomain networks. If we look long enough, I too believe we could find subdomains vulnerable to a similar attack!

Conclusion

That is it for my opinion on the subject! What is your opinion on the subject? Comment it down below! I'm really curious what you guys have to say, both newbie and leet!

See you next tuesday! And don't forget to comment your opinion in the comments, because that's the entire point of this series!

-Phoenix750

26 Comments

This series looks like it'll be a lot of fun!

As for the Facebook topic, it just goes to show that even the giants have cracks in their armor. I wouldn't be surprised if there are still vulnerable subdomains out there.

-Defalt

I look forward to participating in this series as it develops!
Opinion:

dont really have one regarding facebook, but I'm with The Defalt on this one. There are probably more vulnerable subdomains unless of course facebook has the worlds best internal documentation.

-suser

This reminds me of a couple years ago some hacker managed to change his unique identifier or something and managed to take over an account like that but he got paid more. The worst part is that he managed this by using inspect element. @__@

Good point! I personally believe that Adnan should've gotten more money from facebook (probably in the 100k-ish USD). This attack is not only extremely simple, but it is so devastating and clever at the same time!

It is so simple that anyone with basic knowledge of POST and GET requests could perform this attack. And it is also devastating, imagine what would've happened if a black hat discovered this vulnerability!

And it is also really clever what Adnan has done. I tried to brute force the 6 digit pin aswell, but I never thought of doing it on a subdomain!

-Phoenix750

Agree with you man, never thought of subdomains

Exchange is the basis of expanding one's intellectual horizon. Whether it is exchange of knowledge (e.g. in the form of tutorials) or exchange of opinions (which also allows exchange of knowledge). So I really appreciate you creating this topic and I look forward to what's coming next. Thank you, Phoenix.

btt:

Facebook's biggest vulnerability has always been password recovery - well I think most sites share that problem. But I remember a specific vulnerability: Facebook allowed you to reset you password by sending a passcode to three friends of your choice. Everyone with even a basic knowledge of Social Engineering knows how insecure that is.

As for this vulnerability: Having spent no time researching this, it appears to me that this - too - is an obvious one, easy to exploit. This shows how even giant enterprises lack a specific mindset concerning information security issues. But you have to give them that they awarded Anand for finding an reporting that vulnerability and actually did something about something. It is not a rarity that you hear about companies doing nothing but suing the White Hat in such cases.

Other's their opinions have taught me 10x more than any textbook over the years, and I thought it was a shame we get to see so little discussions here on NB. So I wanted to encourage the sharing of opinions.

As for the suing part, I doubt Facebook could even do that after they set up their bug bounty program. Adnan followed all their guidelines regarding the bug bounty program, so Facebook would be committing a crime themselves. That would be classified as fraud I believe.

It's like letting an electrician come over while you're away because one of your outlets is broken, and afterwards accusing them of breaking into your house.

-Phoenix750

honestly the vulnerability obviously shouldnt have existed in the first place, but to a hacker who doesnt have any access to the Facebook victims phone, wont be able to perfom this attack, since it requires the 6 digit code which Arnand typed in himself, from his own phone.

If a hacker who doesnt have the victims phone he wont be able to perfom this attack, making it useless. However you can then hack into the individuals phone if necessary. I think 15 000 is just fine for this vulnerability.

The point of this attack is that he was able to brute-force the 6 digit pins without being locked out, so no user interaction was needed. Adnan simply typed the first few digits in order to save time during the video.

Though you are right somewhere that this isn't the stealthiest attack out there. The victim will still receive the code on their phone, so they'll get suspicious.

-Phoenix750

I am aware of the purpose of this attack, and know that it is good it was pointed out by this fellow white hat.

My only intention was to clarify that this attack isnt the most properly fit attack if you want to be stealth, given the fact you'll have to put in a lot more effort compared to the simplicity of the attack.

It indeed isn't the stealthiest option, but the fact that it doesn't require any user interaction (social engineering) is what makes this attack rare.

-Phoenix750

Awesome idea, Phoenix :)

To be honest, I'm jealous of that guy! It was a simple straightforward vulnerability, that anyone could have known, we just needed to find it, we needed to think in the right way, and to search in the right place, I blame my mind /lol/ .

In the same time, that really encourages and enthuses me to keep up with learnig hacking, because when a website like facebook can still have simple vulnerabilities like that one, it gives me hope that I may find mine one day.

I feel the same way Bara Adnan! But i guess it's just a combination of knowledge and luck in being the first person to notice it. I mean everyone can just brute force a password. The only thing we can do about it is learn for future vulnerability resonance.

I think the "Opinion Tuesday" is a great idea Phoenix750, i'll be sure to tune in every week!

I pretty much agree with what you're all saying...

Also, if you guys wanna discuss opinions on days that aren't Tuesday, head over to #nullbyte on Freenode!!!

Just wanted to stop by and say thank you for this interesting new series. As for the Facebook Vulnerability, I must say that it looks like quite a simple hack, but like you said it is super effective. I never really think of looking at big companies like Facebook, Google, Twitter, etc. For vulnerabilities. You would think they would be nearly impenetrable. Anyway, Thanks for the great new series, looking forward to reading more each week!

I have a question. When I started to study to become a white hat the first thing I learned is that you must have permission from the owner of the server. I believe, however, that it's rather difficult get it from giants such as facebook and similar. So how it should behave to make the bug hunters without incurring penalties or even charges?

Yes, playing with someone eles network is illegal except with their consent. However, big IT companies (google as their leader) have started adopting some change in this area.

They have a chart that if you follow and respect will serve as a the permission you are talking about.
Not all companies participate (last i checked apple wasn't part of it)

There are a lot of companies that reward hackers to present bugs and backdoors in order to reward them with money, you should check https://hackerone.com/ it has a lott of good info!

Google just doubled it's reward to 100K for any successful Chromebook (in guest mode) hack. This comes after the bounty of 50K resulted in zero successful submissions for 2015.

Nice new series.

This reminds me a bit of what happened with Icloud a little time back. The idea was the same, Icloud is composed of many sub-modules, one module in particular (locate phone) didn't enforce a limit on the number of login attempts.

Altough this seems like a simple to fix and not have vulnerability, with application getting bigger with more independant modules and interfaces ... the likeliness of a programer in a submodule to forget to call a specific function that enforces a specific security rule gets higher.

My opinion:

This is where the bug bounty system shows its importance for both improving the security of users and the finances of hackers!!!

As applications grow in size so does their complexity, which leads to more vulnerabilities and more people targetting them. The issue that many security professionals face results from the fact that the attackers often don't have an agenda. Indeed, most attackers are doing it for the thrill and rush of adrenaline. How do you stop such people, how do you establish a threat model??? The solution, with a simple money incentive transform those unpredictable threats into effective temporary consultants.

It seems to me that authentication codes and pins become a weak point in every system, simply due to the 9 available digits compared to the whole range of characters available for "normal" passwords.

The WPS vulns sprung from exactly the same problem, and it makes one wonder how many other similar systems are weakened by having codes like these, for "forgot your password", or similar.

Policies are often badly implemented, thus we find vulnerabilities. It is not the pins or codes fault. The idea behind any password (and security in general) is that the amount of time and effort required to crack it is superior to the time and gain available.

Most people don't change their email password more than twice a year, so their password must be strong enough to resist 6 month of brute forcing (thus the need of symbols, alpha numericals, caps, ..)

However a pin is intended for a single time usage with a limited number of attempts. Under these conditions, it should be rather secure

U said he told facebook, but didnt get anything out of this.
So this means that facebook know about this, how long do u think it will take before facebook patches this "bug" ?

He received 15k USD for reporting this vulnerability.

-Phoenix750

Share Your Thoughts

  • Hot
  • Latest