One Link  Access the account without  restriction with just one link                    Anand K. Pandey                   ...
Facebook• Social networking website• Founded in February 2004 by Mark Zuckerberg• Used to interact with friends, colleague...
Facebook•   Get 10 Billion hits per day•   Second most visited site•   More than 800 million active users•   More then 250...
Number of active users800                                              750700600500                               500400  ...
20 Minutes of Facebook Event                 Wall                  CommentInvites                Posts                   M...
Facebook in News      • Massive hack/spam        attack      • Facebook tracks users        activity      • Anonymous thre...
Facebook Security• Unique Username• Password
Facebook Security• Check Point
Facebook Security• Geo Location Restriction
Facebook Security• Login review
Direct Link• One single link• Bypass all security points   • Username   • Password   • Check points   • Geo location restr...
Direct LinkWhen someone• Comments on your photo• Comments on your link• Tags you• Comments after you
Type 1 http://m.facebook.com/photo.php?pid=xxxxxx&id=x xxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx• Parameters  • pid – Pho...
Type 2 http://m.facebook.com/story.php?share_id=xxxxxx xxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx• Parameters  • Share_id – FB ...
Type 3 http://fb.me/xxxxxxxxxxxxxx• URL Shortening• Contain 14 character random alpha-numeric• Use specially for shortenin...
Type 4 http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy• URL Shortening• Contain “id” and “l”• Series of “x” are the FB id or user ...
What you can do• Brute-force or social engineer the direct URL• Brute-force the shortened URL to hit random  accounts with...
Email: anandkpandey1@gmail.comTwitter: anand___pandeyLinkedin: http://in.linkedin.com/in/anandpandey1
One link Facebook (Anand Pandey)
One link Facebook (Anand Pandey)
Upcoming SlideShare
Loading in …5
×

One link Facebook (Anand Pandey)

6,351 views
6,071 views

Published on

ClubHack 2011 Hacking and Security Conference.
Talk - One Link Facebook
Speaker - Anand Pandey

Published in: Education, Technology, Design
3 Comments
0 Likes
Statistics
Notes
  • Be the first to like this

No Downloads
Views
Total views
6,351
On SlideShare
0
From Embeds
0
Number of Embeds
329
Actions
Shares
0
Downloads
67
Comments
3
Likes
0
Embeds 0
No embeds

No notes for slide

One link Facebook (Anand Pandey)

  1. 1. One Link Access the account without restriction with just one link Anand K. Pandey anandkpandey1@gmail.com
  2. 2. Facebook• Social networking website• Founded in February 2004 by Mark Zuckerberg• Used to interact with friends, colleague and to make new friends
  3. 3. Facebook• Get 10 Billion hits per day• Second most visited site• More than 800 million active users• More then 250 million photos are uploaded daily• More than 900 million objects that people interact with
  4. 4. Number of active users800 750700600500 500400 Number of users (in 350 million)300200100 100 50 0 2007 2008 2009 2010 2011
  5. 5. 20 Minutes of Facebook Event Wall CommentInvites Posts Made 14,84,000 15,87,000 1,02,08,000 Link Photos StatusShared Uploaded Update 10,00,000 27,16,000 18,51,000 FriendMessage Tagged Request Sent Photos Accepted 27,16,000 19,72,000 13,23,000
  6. 6. Facebook in News • Massive hack/spam attack • Facebook tracks users activity • Anonymous threaten facebook
  7. 7. Facebook Security• Unique Username• Password
  8. 8. Facebook Security• Check Point
  9. 9. Facebook Security• Geo Location Restriction
  10. 10. Facebook Security• Login review
  11. 11. Direct Link• One single link• Bypass all security points • Username • Password • Check points • Geo location restriction
  12. 12. Direct LinkWhen someone• Comments on your photo• Comments on your link• Tags you• Comments after you
  13. 13. Type 1 http://m.facebook.com/photo.php?pid=xxxxxx&id=x xxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx• Parameters • pid – Photo id • id – FB id of user who commented • mlid – FB id of target user • l (s52giOr8) – Secret key
  14. 14. Type 2 http://m.facebook.com/story.php?share_id=xxxxxx xxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx• Parameters • Share_id – FB id for sharing the link • mlid – FB id of target user • l (s59gpZr8) – Secret key
  15. 15. Type 3 http://fb.me/xxxxxxxxxxxxxx• URL Shortening• Contain 14 character random alpha-numeric• Use specially for shortening the magic link sent via sms when someone comments on your link• Database of random FB accounts with magic link
  16. 16. Type 4 http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy• URL Shortening• Contain “id” and “l”• Series of “x” are the FB id or user who commented on your photo• Series of “y” is the special key• Used specially for shortening the direct link sent via sms when someone comments on your photo
  17. 17. What you can do• Brute-force or social engineer the direct URL• Brute-force the shortened URL to hit random accounts with full access• Remember the most important • FB user ID (mlid) • Secret key (l)
  18. 18. Email: anandkpandey1@gmail.comTwitter: anand___pandeyLinkedin: http://in.linkedin.com/in/anandpandey1

×