Monday, 7 March 2016

[Responsible disclosure] How I could have hacked all Facebook accounts

Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.

Summary:

This post is about a simple vulnerability found on Facebook which could have been used to hack into other user's Facebook account easily without any user interaction. This gave me full access of another users account by setting a new password. I was able to view messages, his credit/debit cards stored under payment section, personal photos etc. Facebook acknowledged the issue promptly, fixed it and rewarded $15,000 USD considering the severity and impact of the vulnerability.

Description:

Whenever a user Forgets his password on Facebook, he has an option to reset the password by entering his phone number/ email address on https://www.facebook.com/login/identify?ctx=recover&lwv=110 ,Facebook will then send a 6 digit code on his phone number/email address which user has to enter in order to set a new password. I tried to brute the 6 digit code on www.facebook.com and was blocked after 10-12 invalid attempts.
Then i looked out for the same issue on beta.facebook.com and mbasic.beta.facebook.com and interestingly rate limiting was missing on forgot password endpoints. I tried to takeover my account ( as per Facebook's policy you should not do any harm on any other users account) and was successful in setting new password for my account. I could then use the same password to login in the account.

Video POC:




As you can see in the video i was able to set a new password of the user by brute forcing the code which was sent to your email address/phone number.

Vulnerable request:

POST /recover/as/code/ HTTP/1.1 Host: beta.facebook.com
lsd=AVoywo13&n=XXXXX
Brute forcing the "n" successfully allowed me to set new password for any Facebook user.

Reward:



Disclosure Timeline:

Feb 22nd, 2016 : Report sent to Facebook team. Feb 23rd, 2016 : Verified the fix from my end. March 2rd, 2016 : Bounty of $15,000 awarded.

Sunday, 13 December 2015

[Responsible disclosure] How I could have removed all your Facebook notes

Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.

Summary:

This blog post is about an Insecure direct object reference vulnerability in Facebook Notes using which attacker could have removed all your notes just by replacing his Note id with yours in note editing request. 


About Facebook Notes:

Facebook Notes are ways of writing entries about your life, your thoughts, or your all-time favorite songs and then sharing them with your Facebook friends. The beauty of Notes lies in the ability to blog without needing to distribute a web address to friends so that they can go check out your blog. Instead, your friends are connected to your Profile. Therefore, when you publish a Note, it appears in your News Feed.


Vulnerability description: 

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Reference:  https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References


Vulnerable request:

POST /a/note.php?note_id=[victim’s note id]&publish&gfid=[attacker’s token]
Host: touch.facebook.com

fb_dtsg=[attacker’s token]&charset_test=&title=&body=&privacy=&=Publish&_dyn=&__user=[attacker’s userID]

Replacing note_id in the above request led to successful removal of note from victim's account. Note id can be seen by visiting victim's note and copying the id from the URL.



Video POC:







Impact:

Note deletion from victim's account



Disclosure Timeline:

June 15, 2015 : Report sent to Facebook Security team
June 16, 2015 : Bug acknowledged by Facebook Security team
June 16, 2015 : Vulnerability Fixed
June 22, 2015  : Bounty of $2500 awarded by Facebook






Thursday, 4 June 2015

[Responsible disclosure] How I hacked 62.5 million Zomato Users


Note: This is being published with the permission of Zomato Team. The vulnerability is now fixed. 

Zomato is an online restaurant search and discovery service providing information on home delivery, dining-out, caf├ęs and nightlife for various cities of India and 21 other countries. It has 62.5 million registered users.
While creating an account, a user can store his phone number, addresses, date of birth, link Instagram account etc. In one of the API call, they were reflecting the user data based on the "browser_id" parameter in the API request. Interestingly, changing the "browser_id" sequentially resulted in data leakage of other Zomato users. The data leaked also had Instagram access token which could be used to see private photos on Instagram of respective Zomato users.

Below are the technical details of the vulnerability:

Description:

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files. 
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Vulnerable endpoint:

POST /v2/userdetails.json/XXXXX?&browser_id=XXXXX&type=journey&lang=en&uuid=pgh1evyBWvL+sp9/JpwUpItnk8Q=&app_version=6.5.0.1 HTTP/1.1
Accept: */*
Content-Length: 214
Accept-Encoding: gzip, deflate
X-Zomato-API-Key: XXXXXXX
Content-Type: application/x-www-form-urlencoded
User-Agent: Zomato/5.0
Host: 1api.zomato.com
Connection: Keep-Alive
Cache-Control: no-cache

lang=en&uuid=pgh1evyBWvL%2Bsp9%2FJpwUpItnk8Q%3D&client_id=Zomato_WindowsPhone8_v2&app_version=6.5.0.1&device_manufacturer=NOKIA&device_name=NOKIA%2520Lumia%25201020&access_token=xyz

Replacing the XXXXX with victim's user id in the above request led to information disclosure.

Ease of exploitability:

You can easily get userid of any zomato user by visting their profile. They are public and appended to your profile url.
Proof of concept video:



This bug was responsibly disclosed to Zomato and was fixed within few minutes by the engineering team.  

Disclosure Timeline:
June 1, 2015  09:29 PM : Report sent to Deepinder Goyal, CEO 
June 2, 2015  12:54 PM :  Added Gunjan Patidar, CTO and Shrey Sinha to the mail thread
June 2, 2015   1:04 PM  : Bug acknowledged by Gunjan Patidar 
June 2, 2015  2:01 PM   : Confirmation of vulnerability fix from Gunjan Patidar. 
 

Saturday, 29 November 2014

[Responsible disclosure] Hacking Facebook.com/thanks Posting on behalf of your friends!


Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.

Facebook recently introduced "Say Thanks", an experience that lets Facebook user to create personalized video cards for their facebook friends. 

To create a Thanks video, a user needs to visit facebook.com/thanks and have to choose a friend. A user can select a different theme and edit photos and posts that represent their friendship.
Once you are ready you have to click on the "Share" button and your video will be shared on your timeline with the friend tagged. It will show up on your's as well as the friend's timeline.

So, I started digging up as soon as "Say Thanks" was launched.

Below are the few things that I tried :

1) Posting on the behalf of non-Facebook friend.
2) Posting on the behalf of a Facebook friend.

Interestingly, posting on behalf of your Facebook friends worked.
After the successful exploitation a video was posted from victim's profile saying thanks.

Bug type: Insecure direct object reference (OWASP A4)

Steps to reproduce:

1) Go to https://www.facebook.com/thanks
2) Choose any friend from your list. Now on the top up corner click on "Share video" option.
3)  Now before posting make sure Burp Suite's Interceptor is turned on to capture the request. 


Click on "Post Video" now, you will see below kind of request in Burp suite:


POST /thanks/send/async/ HTTP/1.1

Host: www.facebook.com





fb_dtsg=YYYYYY&message_text=Hey Anand, I made you a video to say thanks for being such a good friend. You can make your own at facebook.com/thanks #saythanks&message=Hey @[1234543:Anand], I made you a video to say thanks for being such a good friend. You can make your own at facebook.com/thanks #saythanks&cache_version=24&content=[]&content_count=0&receiver={"id":1234543,"fbid":1234543,"name":"Anand Prakash","imageURL":"","gender":2,"greeting":"Hey Anand","shortName":"Anand","relationship":-1,"relationshipName":null,"firstName":"Anand","genderType":"MALE","profilePhoto":"","profilePhotoID":8359028035,"profilePhotoBegin":"}&sender={"id":131232524,"name":"Sunil Bhati","firstName":"Sunil","genderType":"MALE","profilePhoto":"","profilePhotoID":,"profilePhotoBegin":"","profilePhotoBeginID":328985902339}&timestamp=1417279810172&theme_details={}&theme_id=DEFAULT_THEME&privacyx=9238943&__user=1234543__a=1&__dyn=&__req=13&ttstamp=__rev=1512134


4) I changed the sender={id=XXXXX to victim's Facebook ID (here XXXXX) and in few seconds video got posted from the victim's Facebook profile.


Timeline:

Nov 14, 2014 12:41am - Report Sent to Facebook Security team
Nov 14, 2014 2:00am   - Initial Reply from Mordecai saying he is not able to reproduce the                                     issue
Nov 14, 2014 8:17am   - Confirmation of vulnerability from Neal Poole
Nov 14, 2014 10:42am - Issued fixed by Facebook
Nov 14, 2014 11:44am - Fix verification by me
Nov 19, 2014 10:10am - Bounty of $12,500 awarded by Facebook.


Thanks to Facebook security team for quickly fixing the issue.