Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Rv defcon25 how to obtain 100 facebook accounts per day through internet searches - guillermo buendia

257 views

Published on

http://reconvillage.org/how-to-obtain-100-facebook-accounts-per-day/

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Rv defcon25 how to obtain 100 facebook accounts per day through internet searches - guillermo buendia

  1. 1. Headline Verdana Bold How to obtain 100 Facebook accounts per day through Internet searches Yael Basurto Esquivel - zkvL Guillermo Buendia - m0m0
  2. 2. How to obtain 100 Facebook accounts per day through internet searches 2 DISCLAIMER This vulnerability has been mitigated for the Facebook Security Team. Facebook accounts have been only tested with strict investigation purpose and they were never compromised without the owner’s authorization.
  3. 3. How to obtain 100 Facebook accounts per day through internet searches 3 • About us • Facebook Issue #331801952 • How it works • Proof of concept • Exploiting the vulnerability in mass • We got paid! • Remediation • What’s next? • Contact AGENDA
  4. 4. How to obtain 100 Facebook accounts per day through internet searches 4 About us
  5. 5. How to obtain 100 Facebook accounts per day through internet searches 5 • Penetration testers and cyber security specialists at Deloitte Mexico. • Hacking and security enthusiasts. • Love to learn and break things. • Bug bounties & CTFs noobs. • First serious research ever! About Us
  6. 6. How to obtain 100 Facebook accounts per day through internet searches 6 Facebook Issue #331801952
  7. 7. How to obtain 100 Facebook accounts per day through internet searches 7 • Facebook mobile application implements content through “Instant articles” – 2016 • Content from third parties can be viewed, shared, saved and so on directly in the Facebook platform. • We found a session hijacking vulnerability in this functionality. • We informed through the Facebook bug bounty program – May 2016 Facebook Issue #331801952
  8. 8. How to obtain 100 Facebook accounts per day through internet searches 8 How it works
  9. 9. How to obtain 100 Facebook accounts per day through internet searches 9 • Detected when sharing links from the Facebook mobile application. • Lack of proper validation in “One Tap Login”. • Links shared with a session_key and an api_key • Allows a third party to steal the session when opening the link in a browser (desktop or mobile) since the browser asks for initiate session as the user that initially shared the link. How it works 1 2 3 4 5
  10. 10. How to obtain 100 Facebook accounts per day through internet searches 10 Proof of concept
  11. 11. How to obtain 100 Facebook accounts per day through internet searches 11 Proof of concept 1. A legitimate user opens an instant article on the mobile application. 2. The user shares it by tapping on Share" and then Copy link“. 3. The user shares the link copied through any social media. 3 2 1
  12. 12. How to obtain 100 Facebook accounts per day through internet searches 12 Proof of concept 4. A malicious user opens the link and notes that the browser asks to initiate session as the user that initially shared the link. 5. The malicious user accepts and gains access to the account. 6. Then, the malicious user can perform any activity under the legitimate user session. 4 5 6
  13. 13. How to obtain 100 Facebook accounts per day through internet searches 13 Exploiting the vulnerability in mass
  14. 14. How to obtain 100 Facebook accounts per day through internet searches 14 Exploiting the vulnerability in mass The problem… https://m.facebook.com/auth.php?api_key=1 1111111111111&session_key=22222222222 22&............
  15. 15. How to obtain 100 Facebook accounts per day through internet searches 15 Exploiting the vulnerability in mass The solution … INTERNET!
  16. 16. How to obtain 100 Facebook accounts per day through internet searches 16 But these account links in Google were too old and we needed some recent stuff, therefore we used a real-time search within Twitter. Exploiting the vulnerability in mass The solution … INTERNET!
  17. 17. How to obtain 100 Facebook accounts per day through internet searches 17 Exploiting the vulnerability in mass The solution … INTERNET! Et voilà!
  18. 18. How to obtain 100 Facebook accounts per day through internet searches 18 Exploiting the vulnerability in mass
  19. 19. How to obtain 100 Facebook accounts per day through internet searches 19 Exploiting the vulnerability in mass
  20. 20. How to obtain 100 Facebook accounts per day through internet searches 20 Exploiting the vulnerability in mass
  21. 21. How to obtain 100 Facebook accounts per day through internet searches 21 We got paid!
  22. 22. How to obtain 100 Facebook accounts per day through internet searches 22 In June, 2016 the Facebook bug bounty team patched the vulnerability, close the ticket and rewarded us!! Facebook close the ticket and we got paid! Also, they added us to their “Wall of fame”
  23. 23. How to obtain 100 Facebook accounts per day through internet searches 23 Remediation
  24. 24. How to obtain 100 Facebook accounts per day through internet searches 24 Facebook did not mitigate the URL shorten error, instead they have mitigated the vulnerability present in “One Tap Login”. A redirection in the URL with the vulnerability was implemented “facebook.com/auth.php” so that it is no longer possible to steal a valid session from them. Remediation
  25. 25. How to obtain 100 Facebook accounts per day through internet searches 25 Remediation
  26. 26. How to obtain 100 Facebook accounts per day through internet searches 26 What’s next?
  27. 27. How to obtain 100 Facebook accounts per day through internet searches 27 This vulnerability could be present in others Facebook-crafted URLs. We have seen the same URL shorten error with “https://m.facebook.com/mobile/sso_request?d=” but it’s been complicated to replicate the issue and the conditions for this URL minimize the risk; however, further research could lead into something … What’s next?
  28. 28. How to obtain 100 Facebook accounts per day through internet searches 28 What’s next?
  29. 29. How to obtain 100 Facebook accounts per day through internet searches 29 What’s next?
  30. 30. How to obtain 100 Facebook accounts per day through internet searches 30 Contact Yael Basurto Esquivel Twitter: @zkvL7 Guillermo Buendía Twitter: @bym0m0 Special thanks: To everyone on the 19th floor, especially to: • Abraham Vargas - @0ldbl4ck • Lucio Adame - @_Svrtr_ who are co-authors of this vulnerability disclosure. This work wouldn’t be possible without their help.

×