Wednesday, May 28, 2014

How I hacked your unverified facebook accounts !


Here's a little write-up on how I was able to delete any unverified account in facebook. By unverified, I mean those accounts who didnot yet verify their email address linked to facebook. 


All (or most) of my bugs have been authentication related to many vendors, this was no different. 

Here is how I did it:


There is(was , now) this sign up function, which lets you create new facebook account. The twist is, when you use a facebook account that already has an account in facebook (with its email unverified), the response you get is :

When clicked on the "Insert the confirmation code instead" it lets you enter 5-digit number only code. Pretty simple , eh?

Lets generate a dictionary from 00000 to 99999




Now, straightforward stuff! I fired up Burp, "Swiss army knife" for me.





Notice something peculiar in the last request?
Yes, the response length changes to show that you've made the correct guess. (AJAX response in burp response says that).

Some math work :
possible password = 100,000
If , no. of requests = 100/sec
Time taken to find out "teh code" (worst case scenerio) = 15 minutes

The impact?

I could permanently delete any unverified facebook accounts within 15 minutes. You would try to recover using "password recover" feature but all your friends, PM's would be gone. You would have to create entirely new account.

All I had to do was squander my bandwidth (and sit back and relax).

How did I find out if an account was unverified?

Well, one way was to sign up using that email and see the response (if you are asked to enter confirmation code or not).

For a large number of emails, the other way was to enumerate facebook users first, to find out if the email had a facebook account and then use "Change email address field" to sort out which accounts have facebook associated with it and are still unverified.


8 hours later:



and was patched within 3 days of submission, however they were making strange changes  for about a month even after bounty payout (in their mobile platforms and mobile apps).



tl;dr :


1) Make an unconfirmed facebook account (the target)

2)Try to register a new account with same email (the attacker) !

3)It will take you to https://www.facebook.com/register/confirm.php?ce=emailaddress%40provider.com from the registration form.

4)Click on "Insert the confirmation code instead"!

5)Generate a dictionary .

6)Enjoy deleting accounts!



and a handsome bounty followed up:


Thanks for the read!




Posted on by Abhibandu Kafle | 9 comments

9 comments:

  1. So what did they do to fix this ?

    ReplyDelete
    Replies
    1. Rate limited, stopped allowing an email which has an unverified account to be added to a verified account. There has been many changes in how unverified accounts work. Also, now they ask to verify any account within few days after sign up!

      Delete
  2. How much money they have paid to you ?

    ReplyDelete
  3. "a handsome amount", as mentioned in post

    ReplyDelete
  4. not more than 3 digits. I guess 500 USD. I just look the spaces. :P

    ReplyDelete
  5. I was wondering why did you write a program to make numbers! You have a built in option in burp suite. Its waste of time you are reinventing the wheel.

    ReplyDelete
    Replies
    1. BTW congrats, you got an eagle eye.

      Delete