SlideShare a Scribd company logo

Rv defcon25 how to obtain 100 facebook accounts per day through internet searches - guillermo buendia

R
reconvillage

http://reconvillage.org/how-to-obtain-100-facebook-accounts-per-day/

Technology
1 of 30
Download to read offline
Headline Verdana Bold How to obtain 100 Facebook accounts per day through Internet searches Yael Basurto Esquivel - zkvL Guillermo Buendia - m0m0
How to obtain 100 Facebook accounts per day through internet searches 2 DISCLAIMER This vulnerability has been mitigated for the Facebook Security Team. Facebook accounts have been only tested with strict investigation purpose and they were never compromised without the owner’s authorization.
How to obtain 100 Facebook accounts per day through internet searches 3 • About us • Facebook Issue #331801952 • How it works • Proof of concept • Exploiting the vulnerability in mass • We got paid! • Remediation • What’s next? • Contact AGENDA
How to obtain 100 Facebook accounts per day through internet searches 4 About us
How to obtain 100 Facebook accounts per day through internet searches 5 • Penetration testers and cyber security specialists at Deloitte Mexico. • Hacking and security enthusiasts. • Love to learn and break things. • Bug bounties & CTFs noobs. • First serious research ever! About Us
How to obtain 100 Facebook accounts per day through internet searches 6 Facebook Issue #331801952
How to obtain 100 Facebook accounts per day through internet searches 7 • Facebook mobile application implements content through “Instant articles” – 2016 • Content from third parties can be viewed, shared, saved and so on directly in the Facebook platform. • We found a session hijacking vulnerability in this functionality. • We informed through the Facebook bug bounty program – May 2016 Facebook Issue #331801952
How to obtain 100 Facebook accounts per day through internet searches 8 How it works
How to obtain 100 Facebook accounts per day through internet searches 9 • Detected when sharing links from the Facebook mobile application. • Lack of proper validation in “One Tap Login”. • Links shared with a session_key and an api_key • Allows a third party to steal the session when opening the link in a browser (desktop or mobile) since the browser asks for initiate session as the user that initially shared the link. How it works 1 2 3 4 5
How to obtain 100 Facebook accounts per day through internet searches 10 Proof of concept
How to obtain 100 Facebook accounts per day through internet searches 11 Proof of concept 1. A legitimate user opens an instant article on the mobile application. 2. The user shares it by tapping on Share" and then Copy link“. 3. The user shares the link copied through any social media. 3 2 1
How to obtain 100 Facebook accounts per day through internet searches 12 Proof of concept 4. A malicious user opens the link and notes that the browser asks to initiate session as the user that initially shared the link. 5. The malicious user accepts and gains access to the account. 6. Then, the malicious user can perform any activity under the legitimate user session. 4 5 6
How to obtain 100 Facebook accounts per day through internet searches 13 Exploiting the vulnerability in mass
How to obtain 100 Facebook accounts per day through internet searches 14 Exploiting the vulnerability in mass The problem… https://m.facebook.com/auth.php?api_key=1 1111111111111&session_key=22222222222 22&............
How to obtain 100 Facebook accounts per day through internet searches 15 Exploiting the vulnerability in mass The solution … INTERNET!
How to obtain 100 Facebook accounts per day through internet searches 16 But these account links in Google were too old and we needed some recent stuff, therefore we used a real-time search within Twitter. Exploiting the vulnerability in mass The solution … INTERNET!
How to obtain 100 Facebook accounts per day through internet searches 17 Exploiting the vulnerability in mass The solution … INTERNET! Et voilà!
How to obtain 100 Facebook accounts per day through internet searches 18 Exploiting the vulnerability in mass
How to obtain 100 Facebook accounts per day through internet searches 19 Exploiting the vulnerability in mass
How to obtain 100 Facebook accounts per day through internet searches 20 Exploiting the vulnerability in mass
How to obtain 100 Facebook accounts per day through internet searches 21 We got paid!
How to obtain 100 Facebook accounts per day through internet searches 22 In June, 2016 the Facebook bug bounty team patched the vulnerability, close the ticket and rewarded us!! Facebook close the ticket and we got paid! Also, they added us to their “Wall of fame”
How to obtain 100 Facebook accounts per day through internet searches 23 Remediation
How to obtain 100 Facebook accounts per day through internet searches 24 Facebook did not mitigate the URL shorten error, instead they have mitigated the vulnerability present in “One Tap Login”. A redirection in the URL with the vulnerability was implemented “facebook.com/auth.php” so that it is no longer possible to steal a valid session from them. Remediation
How to obtain 100 Facebook accounts per day through internet searches 25 Remediation
How to obtain 100 Facebook accounts per day through internet searches 26 What’s next?
How to obtain 100 Facebook accounts per day through internet searches 27 This vulnerability could be present in others Facebook-crafted URLs. We have seen the same URL shorten error with “https://m.facebook.com/mobile/sso_request?d=” but it’s been complicated to replicate the issue and the conditions for this URL minimize the risk; however, further research could lead into something … What’s next?
How to obtain 100 Facebook accounts per day through internet searches 28 What’s next?
How to obtain 100 Facebook accounts per day through internet searches 29 What’s next?
How to obtain 100 Facebook accounts per day through internet searches 30 Contact Yael Basurto Esquivel Twitter: @zkvL7 Guillermo Buendía Twitter: @bym0m0 Special thanks: To everyone on the 19th floor, especially to: • Abraham Vargas - @0ldbl4ck • Lucio Adame - @_Svrtr_ who are co-authors of this vulnerability disclosure. This work wouldn’t be possible without their help.

Recommended

Test
TestTest
Testthinkablecan9759
 
Test
TestTest
Testsnobbishmishap958
 
obtain additional security
obtain additional security obtain additional security
obtain additional security offbeatnominee633
 
Facebook Password Sniper
Facebook Password SniperFacebook Password Sniper
Facebook Password Snipereagerdemography62
 
obtain additional security
obtain additional security obtain additional security
obtain additional security snobbishmishap958
 
Webseowizards Digital Marketing, Email Marketing Session by akehsan
Webseowizards Digital Marketing, Email Marketing Session by akehsanWebseowizards Digital Marketing, Email Marketing Session by akehsan
Webseowizards Digital Marketing, Email Marketing Session by akehsanADCopy Copywriting Marketers
 
Cdo
CdoCdo
CdoBen Thomas
 
Presentation social media tips & secrets
Presentation social media tips & secretsPresentation social media tips & secrets
Presentation social media tips & secretsTechSoup
 

Recommended

Test
TestTest
Testthinkablecan9759
 
Test
TestTest
Testsnobbishmishap958
 
obtain additional security
obtain additional security obtain additional security
obtain additional security offbeatnominee633
 
Facebook Password Sniper
Facebook Password SniperFacebook Password Sniper
Facebook Password Snipereagerdemography62
 
obtain additional security
obtain additional security obtain additional security
obtain additional security snobbishmishap958
 
Webseowizards Digital Marketing, Email Marketing Session by akehsan
Webseowizards Digital Marketing, Email Marketing Session by akehsanWebseowizards Digital Marketing, Email Marketing Session by akehsan
Webseowizards Digital Marketing, Email Marketing Session by akehsanADCopy Copywriting Marketers
 
Cdo
CdoCdo
CdoBen Thomas
 
Presentation social media tips & secrets
Presentation social media tips & secretsPresentation social media tips & secrets
Presentation social media tips & secretsTechSoup
 
Non credit
Non creditNon credit
Non creditBen Thomas
 
How to Increase Alexa Ranking
How to Increase Alexa RankingHow to Increase Alexa Ranking
How to Increase Alexa Rankingbdblogger24
 
Facebook 101 for Government
Facebook 101 for GovernmentFacebook 101 for Government
Facebook 101 for Governmentcanada30
 
How to use Twitter for Business
How to use Twitter for BusinessHow to use Twitter for Business
How to use Twitter for BusinessDavid Strom
 
pirater un compte fb
pirater un compte fb pirater un compte fb
pirater un compte fb thinkablecan9759
 
Digital Marketing
Digital Marketing Digital Marketing
Digital Marketing aiatlearning
 
11 Reasons to Backup Your Facebook Page
11 Reasons to Backup Your Facebook Page11 Reasons to Backup Your Facebook Page
11 Reasons to Backup Your Facebook PageDatto
 
Adv410 Quiz4
Adv410 Quiz4Adv410 Quiz4
Adv410 Quiz4guest2e1f09
 
Twitter for PR and Journalism - Fall 2010
Twitter for PR and Journalism - Fall 2010Twitter for PR and Journalism - Fall 2010
Twitter for PR and Journalism - Fall 2010Michigan State University
 
Twitter Webinar
Twitter Webinar Twitter Webinar
Twitter Webinar The Marketing Twins at 1429 Creative
 
To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)
To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)
To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)LiveOakRx
 
Top 10 Twitter Mistakes
Top 10 Twitter MistakesTop 10 Twitter Mistakes
Top 10 Twitter Mistakesdataplextech
 
security procedures
security procedures security procedures
security procedures puffyarson5604
 
10 ways a business leaks money like a sieve
10 ways a business leaks money like a sieve10 ways a business leaks money like a sieve
10 ways a business leaks money like a sieveStocker Partnership
 
Facebook webinar
Facebook webinarFacebook webinar
Facebook webinarRealestate.co.nz - Agent Pro
 
Mospra Handout 5
Mospra Handout 5Mospra Handout 5
Mospra Handout 5Evelyn McCormack
 
Facebook Calendar
Facebook CalendarFacebook Calendar
Facebook CalendarMelien Lavoie
 
Haidet email how to
Haidet email how toHaidet email how to
Haidet email how tojoshvox
 
Social Media Marketing: Twitter
Social Media Marketing: TwitterSocial Media Marketing: Twitter
Social Media Marketing: TwitterLaurynas Binderis
 
2014: The Year in Review
2014: The Year in Review2014: The Year in Review
2014: The Year in ReviewInternet Marketing Muscle
 
How to use a Tool to Hack Facebook?
How to use a Tool to Hack Facebook?How to use a Tool to Hack Facebook?
How to use a Tool to Hack Facebook?Thought096
 
Ten Things Every Marine Executive Needs to Know About Facebook and Social Media
Ten Things Every Marine Executive Needs to Know About Facebook and Social MediaTen Things Every Marine Executive Needs to Know About Facebook and Social Media
Ten Things Every Marine Executive Needs to Know About Facebook and Social MediaJay Berkowitz www.TenGoldenRules.com
 

More Related Content

What's hot

How to Increase Alexa Ranking
How to Increase Alexa RankingHow to Increase Alexa Ranking
How to Increase Alexa Rankingbdblogger24
 
Facebook 101 for Government
Facebook 101 for GovernmentFacebook 101 for Government
Facebook 101 for Governmentcanada30
 
How to use Twitter for Business
How to use Twitter for BusinessHow to use Twitter for Business
How to use Twitter for BusinessDavid Strom
 
Digital Marketing
Digital Marketing Digital Marketing
Digital Marketing aiatlearning
 
11 Reasons to Backup Your Facebook Page
11 Reasons to Backup Your Facebook Page11 Reasons to Backup Your Facebook Page
11 Reasons to Backup Your Facebook PageDatto
 
To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)
To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)
To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)LiveOakRx
 
Top 10 Twitter Mistakes
Top 10 Twitter MistakesTop 10 Twitter Mistakes
Top 10 Twitter Mistakesdataplextech
 
security procedures
security procedures security procedures
security procedures puffyarson5604
 
10 ways a business leaks money like a sieve
10 ways a business leaks money like a sieve10 ways a business leaks money like a sieve
10 ways a business leaks money like a sieveStocker Partnership
 
Haidet email how to
Haidet email how toHaidet email how to
Haidet email how tojoshvox
 
Social Media Marketing: Twitter
Social Media Marketing: TwitterSocial Media Marketing: Twitter
Social Media Marketing: TwitterLaurynas Binderis
 

What's hot (20)

Non credit
Non creditNon credit
Non credit
 
How to Increase Alexa Ranking
How to Increase Alexa RankingHow to Increase Alexa Ranking
How to Increase Alexa Ranking
 
Facebook 101 for Government
Facebook 101 for GovernmentFacebook 101 for Government
Facebook 101 for Government
 
How to use Twitter for Business
How to use Twitter for BusinessHow to use Twitter for Business
How to use Twitter for Business
 
pirater un compte fb
pirater un compte fb pirater un compte fb
pirater un compte fb
 
Digital Marketing
Digital Marketing Digital Marketing
Digital Marketing
 
11 Reasons to Backup Your Facebook Page
11 Reasons to Backup Your Facebook Page11 Reasons to Backup Your Facebook Page
11 Reasons to Backup Your Facebook Page
 
Adv410 Quiz4
Adv410 Quiz4Adv410 Quiz4
Adv410 Quiz4
 
Twitter for PR and Journalism - Fall 2010
Twitter for PR and Journalism - Fall 2010Twitter for PR and Journalism - Fall 2010
Twitter for PR and Journalism - Fall 2010
 
Twitter Webinar
Twitter Webinar Twitter Webinar
Twitter Webinar
 
To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)
To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)
To Tweet Or Not To Tweet (or why Live Oak Pharmacy uses social media)
 
Top 10 Twitter Mistakes
Top 10 Twitter MistakesTop 10 Twitter Mistakes
Top 10 Twitter Mistakes
 
security procedures
security procedures security procedures
security procedures
 
10 ways a business leaks money like a sieve
10 ways a business leaks money like a sieve10 ways a business leaks money like a sieve
10 ways a business leaks money like a sieve
 
Facebook webinar
Facebook webinarFacebook webinar
Facebook webinar
 
Mospra Handout 5
Mospra Handout 5Mospra Handout 5
Mospra Handout 5
 
Facebook Calendar
Facebook CalendarFacebook Calendar
Facebook Calendar
 
Haidet email how to
Haidet email how toHaidet email how to
Haidet email how to
 
Social Media Marketing: Twitter
Social Media Marketing: TwitterSocial Media Marketing: Twitter
Social Media Marketing: Twitter
 
2014: The Year in Review
2014: The Year in Review2014: The Year in Review
2014: The Year in Review
 

Similar to Rv defcon25 how to obtain 100 facebook accounts per day through internet searches - guillermo buendia

How to use a Tool to Hack Facebook?
How to use a Tool to Hack Facebook?How to use a Tool to Hack Facebook?
How to use a Tool to Hack Facebook?Thought096
 
Ten Things Every Marine Executive Needs to Know About Facebook and Social Media
Ten Things Every Marine Executive Needs to Know About Facebook and Social MediaTen Things Every Marine Executive Needs to Know About Facebook and Social Media
Ten Things Every Marine Executive Needs to Know About Facebook and Social MediaJay Berkowitz www.TenGoldenRules.com
 
Ten Things Financial Executives need to Know About Facebook and Social Media
Ten Things Financial Executives need to Know About Facebook and Social MediaTen Things Financial Executives need to Know About Facebook and Social Media
Ten Things Financial Executives need to Know About Facebook and Social MediaJay Berkowitz www.TenGoldenRules.com
 
How to avoid facebook scams
How to avoid facebook scamsHow to avoid facebook scams
How to avoid facebook scamsMr.OoPpSs Group
 
New Jersey Food Council Social Media Presentation
New Jersey Food Council Social Media PresentationNew Jersey Food Council Social Media Presentation
New Jersey Food Council Social Media PresentationHelen Levinson
 
Growth Hacking with Content - 20 Ideas In 20 Minutes - UnPluggd 2016
Growth Hacking with Content - 20 Ideas In 20 Minutes - UnPluggd 2016Growth Hacking with Content - 20 Ideas In 20 Minutes - UnPluggd 2016
Growth Hacking with Content - 20 Ideas In 20 Minutes - UnPluggd 2016Pratik Dholakiya
 
Facts about Facebook
Facts about FacebookFacts about Facebook
Facts about Facebooksportela1
 
Diving Into Facebook And Twitter
Diving Into Facebook And TwitterDiving Into Facebook And Twitter
Diving Into Facebook And TwitterPaulette Bennett
 
Leveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsLeveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsDavid Keener
 
10 things you should know, but no one ever told you - 2011 version
10 things you should know, but no one ever told you - 2011 version 10 things you should know, but no one ever told you - 2011 version
10 things you should know, but no one ever told you - 2011 version Evan Van Lissum
 
American Majority Facebook Manual
American Majority Facebook ManualAmerican Majority Facebook Manual
American Majority Facebook ManualJennifer Raiffie
 
How a $200 Marketing Budget for "Social Media" Can Produce Six-Figure Profits...
How a $200 Marketing Budget for "Social Media" Can Produce Six-Figure Profits...How a $200 Marketing Budget for "Social Media" Can Produce Six-Figure Profits...
How a $200 Marketing Budget for "Social Media" Can Produce Six-Figure Profits...Mande White-Pearl
 
Tradeshow 4-Pack: Using Twitter, Facebook, LinkedIn and YouTube
Tradeshow 4-Pack: Using Twitter, Facebook, LinkedIn and YouTubeTradeshow 4-Pack: Using Twitter, Facebook, LinkedIn and YouTube
Tradeshow 4-Pack: Using Twitter, Facebook, LinkedIn and YouTubeTradeshowGuy Exhibits
 
How to get unlimited social likes and followers
How to get unlimited social likes and followersHow to get unlimited social likes and followers
How to get unlimited social likes and followersKokoshungsan Ltd.
 
Going Social / DMA Event Intro & Vision
Going Social / DMA Event Intro & VisionGoing Social / DMA Event Intro & Vision
Going Social / DMA Event Intro & VisionThe Leith
 

Similar to Rv defcon25 how to obtain 100 facebook accounts per day through internet searches - guillermo buendia (20)

How to use a Tool to Hack Facebook?
How to use a Tool to Hack Facebook?How to use a Tool to Hack Facebook?
How to use a Tool to Hack Facebook?
 
Ten Things Every Marine Executive Needs to Know About Facebook and Social Media
Ten Things Every Marine Executive Needs to Know About Facebook and Social MediaTen Things Every Marine Executive Needs to Know About Facebook and Social Media
Ten Things Every Marine Executive Needs to Know About Facebook and Social Media
 
Facebook
FacebookFacebook
Facebook
 
Guide to facebook security
Guide to facebook securityGuide to facebook security
Guide to facebook security
 
Samir's 25 Actionable Growth Hacks in 25 Minutes @Case2014 Brazil
Samir's 25 Actionable Growth Hacks in 25 Minutes @Case2014 BrazilSamir's 25 Actionable Growth Hacks in 25 Minutes @Case2014 Brazil
Samir's 25 Actionable Growth Hacks in 25 Minutes @Case2014 Brazil
 
Ten Things Financial Executives need to Know About Facebook and Social Media
Ten Things Financial Executives need to Know About Facebook and Social MediaTen Things Financial Executives need to Know About Facebook and Social Media
Ten Things Financial Executives need to Know About Facebook and Social Media
 
How to avoid facebook scams
How to avoid facebook scamsHow to avoid facebook scams
How to avoid facebook scams
 
New Jersey Food Council Social Media Presentation
New Jersey Food Council Social Media PresentationNew Jersey Food Council Social Media Presentation
New Jersey Food Council Social Media Presentation
 
Growth Hacking with Content - 20 Ideas In 20 Minutes - UnPluggd 2016
Growth Hacking with Content - 20 Ideas In 20 Minutes - UnPluggd 2016Growth Hacking with Content - 20 Ideas In 20 Minutes - UnPluggd 2016
Growth Hacking with Content - 20 Ideas In 20 Minutes - UnPluggd 2016
 
Facts about Facebook
Facts about FacebookFacts about Facebook
Facts about Facebook
 
Diving Into Facebook And Twitter
Diving Into Facebook And TwitterDiving Into Facebook And Twitter
Diving Into Facebook And Twitter
 
Leveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook AppsLeveraging Rails to Build Facebook Apps
Leveraging Rails to Build Facebook Apps
 
10 things you should know, but no one ever told you - 2011 version
10 things you should know, but no one ever told you - 2011 version 10 things you should know, but no one ever told you - 2011 version
10 things you should know, but no one ever told you - 2011 version
 
American Majority Facebook Manual
American Majority Facebook ManualAmerican Majority Facebook Manual
American Majority Facebook Manual
 
How a $200 Marketing Budget for "Social Media" Can Produce Six-Figure Profits...
How a $200 Marketing Budget for "Social Media" Can Produce Six-Figure Profits...How a $200 Marketing Budget for "Social Media" Can Produce Six-Figure Profits...
How a $200 Marketing Budget for "Social Media" Can Produce Six-Figure Profits...
 
Tradeshow 4-Pack: Using Twitter, Facebook, LinkedIn and YouTube
Tradeshow 4-Pack: Using Twitter, Facebook, LinkedIn and YouTubeTradeshow 4-Pack: Using Twitter, Facebook, LinkedIn and YouTube
Tradeshow 4-Pack: Using Twitter, Facebook, LinkedIn and YouTube
 
Facebook Platform Atl
Facebook Platform AtlFacebook Platform Atl
Facebook Platform Atl
 
EBMS
EBMSEBMS
EBMS
 
How to get unlimited social likes and followers
How to get unlimited social likes and followersHow to get unlimited social likes and followers
How to get unlimited social likes and followers
 
Going Social / DMA Event Intro & Vision
Going Social / DMA Event Intro & VisionGoing Social / DMA Event Intro & Vision
Going Social / DMA Event Intro & Vision
 

More from reconvillage

Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017reconvillage
 
Rv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesRv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesreconvillage
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinreconvillage
 
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...reconvillage
 
Rv defcon25 ferpa only your grades are safe - leah
Rv defcon25 ferpa only your grades are safe - leahRv defcon25 ferpa only your grades are safe - leah
Rv defcon25 ferpa only your grades are safe - leahreconvillage
 
Rv defcon25 burner phone challenge - dakota nelson
Rv defcon25 burner phone challenge - dakota nelsonRv defcon25 burner phone challenge - dakota nelson
Rv defcon25 burner phone challenge - dakota nelsonreconvillage
 
Rv defcon25 attack surface discovery with intrigue - jonathan cran
Rv defcon25 attack surface discovery with intrigue - jonathan cranRv defcon25 attack surface discovery with intrigue - jonathan cran
Rv defcon25 attack surface discovery with intrigue - jonathan cranreconvillage
 

More from reconvillage (7)

Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017Empowering red and blue teams with osint c0c0n 2017
Empowering red and blue teams with osint c0c0n 2017
 
Rv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon rosesRv defcon25 osint tactics on source code intelligence - simon roses
Rv defcon25 osint tactics on source code intelligence - simon roses
 
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkinRv defcon25 keeping an eye on mobile applications - mikhail sosonkin
Rv defcon25 keeping an eye on mobile applications - mikhail sosonkin
 
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
Rv defcon25 into the birds nest - a comprehensive look at twitter as a rese...
 
Rv defcon25 ferpa only your grades are safe - leah
Rv defcon25 ferpa only your grades are safe - leahRv defcon25 ferpa only your grades are safe - leah
Rv defcon25 ferpa only your grades are safe - leah
 
Rv defcon25 burner phone challenge - dakota nelson
Rv defcon25 burner phone challenge - dakota nelsonRv defcon25 burner phone challenge - dakota nelson
Rv defcon25 burner phone challenge - dakota nelson
 
Rv defcon25 attack surface discovery with intrigue - jonathan cran
Rv defcon25 attack surface discovery with intrigue - jonathan cranRv defcon25 attack surface discovery with intrigue - jonathan cran
Rv defcon25 attack surface discovery with intrigue - jonathan cran
 

Recently uploaded

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 

Recently uploaded (20)

A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 

Rv defcon25 how to obtain 100 facebook accounts per day through internet searches - guillermo buendia

  • 1. Headline Verdana Bold How to obtain 100 Facebook accounts per day through Internet searches Yael Basurto Esquivel - zkvL Guillermo Buendia - m0m0
  • 2. How to obtain 100 Facebook accounts per day through internet searches 2 DISCLAIMER This vulnerability has been mitigated for the Facebook Security Team. Facebook accounts have been only tested with strict investigation purpose and they were never compromised without the owner’s authorization.
  • 3. How to obtain 100 Facebook accounts per day through internet searches 3 • About us • Facebook Issue #331801952 • How it works • Proof of concept • Exploiting the vulnerability in mass • We got paid! • Remediation • What’s next? • Contact AGENDA
  • 4. How to obtain 100 Facebook accounts per day through internet searches 4 About us
  • 5. How to obtain 100 Facebook accounts per day through internet searches 5 • Penetration testers and cyber security specialists at Deloitte Mexico. • Hacking and security enthusiasts. • Love to learn and break things. • Bug bounties & CTFs noobs. • First serious research ever! About Us
  • 6. How to obtain 100 Facebook accounts per day through internet searches 6 Facebook Issue #331801952
  • 7. How to obtain 100 Facebook accounts per day through internet searches 7 • Facebook mobile application implements content through “Instant articles” – 2016 • Content from third parties can be viewed, shared, saved and so on directly in the Facebook platform. • We found a session hijacking vulnerability in this functionality. • We informed through the Facebook bug bounty program – May 2016 Facebook Issue #331801952
  • 8. How to obtain 100 Facebook accounts per day through internet searches 8 How it works
  • 9. How to obtain 100 Facebook accounts per day through internet searches 9 • Detected when sharing links from the Facebook mobile application. • Lack of proper validation in “One Tap Login”. • Links shared with a session_key and an api_key • Allows a third party to steal the session when opening the link in a browser (desktop or mobile) since the browser asks for initiate session as the user that initially shared the link. How it works 1 2 3 4 5
  • 10. How to obtain 100 Facebook accounts per day through internet searches 10 Proof of concept
  • 11. How to obtain 100 Facebook accounts per day through internet searches 11 Proof of concept 1. A legitimate user opens an instant article on the mobile application. 2. The user shares it by tapping on Share" and then Copy link“. 3. The user shares the link copied through any social media. 3 2 1
  • 12. How to obtain 100 Facebook accounts per day through internet searches 12 Proof of concept 4. A malicious user opens the link and notes that the browser asks to initiate session as the user that initially shared the link. 5. The malicious user accepts and gains access to the account. 6. Then, the malicious user can perform any activity under the legitimate user session. 4 5 6
  • 13. How to obtain 100 Facebook accounts per day through internet searches 13 Exploiting the vulnerability in mass
  • 14. How to obtain 100 Facebook accounts per day through internet searches 14 Exploiting the vulnerability in mass The problem… https://m.facebook.com/auth.php?api_key=1 1111111111111&session_key=22222222222 22&............
  • 15. How to obtain 100 Facebook accounts per day through internet searches 15 Exploiting the vulnerability in mass The solution … INTERNET!
  • 16. How to obtain 100 Facebook accounts per day through internet searches 16 But these account links in Google were too old and we needed some recent stuff, therefore we used a real-time search within Twitter. Exploiting the vulnerability in mass The solution … INTERNET!
  • 17. How to obtain 100 Facebook accounts per day through internet searches 17 Exploiting the vulnerability in mass The solution … INTERNET! Et voilà!
  • 18. How to obtain 100 Facebook accounts per day through internet searches 18 Exploiting the vulnerability in mass
  • 19. How to obtain 100 Facebook accounts per day through internet searches 19 Exploiting the vulnerability in mass
  • 20. How to obtain 100 Facebook accounts per day through internet searches 20 Exploiting the vulnerability in mass
  • 21. How to obtain 100 Facebook accounts per day through internet searches 21 We got paid!
  • 22. How to obtain 100 Facebook accounts per day through internet searches 22 In June, 2016 the Facebook bug bounty team patched the vulnerability, close the ticket and rewarded us!! Facebook close the ticket and we got paid! Also, they added us to their “Wall of fame”
  • 23. How to obtain 100 Facebook accounts per day through internet searches 23 Remediation
  • 24. How to obtain 100 Facebook accounts per day through internet searches 24 Facebook did not mitigate the URL shorten error, instead they have mitigated the vulnerability present in “One Tap Login”. A redirection in the URL with the vulnerability was implemented “facebook.com/auth.php” so that it is no longer possible to steal a valid session from them. Remediation
  • 25. How to obtain 100 Facebook accounts per day through internet searches 25 Remediation
  • 26. How to obtain 100 Facebook accounts per day through internet searches 26 What’s next?
  • 27. How to obtain 100 Facebook accounts per day through internet searches 27 This vulnerability could be present in others Facebook-crafted URLs. We have seen the same URL shorten error with “https://m.facebook.com/mobile/sso_request?d=” but it’s been complicated to replicate the issue and the conditions for this URL minimize the risk; however, further research could lead into something … What’s next?
  • 28. How to obtain 100 Facebook accounts per day through internet searches 28 What’s next?
  • 29. How to obtain 100 Facebook accounts per day through internet searches 29 What’s next?
  • 30. How to obtain 100 Facebook accounts per day through internet searches 30 Contact Yael Basurto Esquivel Twitter: @zkvL7 Guillermo Buendía Twitter: @bym0m0 Special thanks: To everyone on the 19th floor, especially to: • Abraham Vargas - @0ldbl4ck • Lucio Adame - @_Svrtr_ who are co-authors of this vulnerability disclosure. This work wouldn’t be possible without their help.