Ow Facebook: Taking Over Random Accounts
12:25 PM
Okay, it seems I am obsessed with Facebook, I like it. But not
obsessed, just addicted? Anyway, this is a series of declined obvious Facebook
Bugs I have reported in the program and are still available to be exploited.
When you reset your password, you will get an option to send
it to phone by SMS, in the SMS there is a 6 digit token to confirm you phone
and also a link to reset it, when redirect to the link, it just gives you a new
password and a confirm new password input boxes. So the idea here is to
bruteforce this tokens, here is the statics… over a billion users, at least 3-4
million resetting password in a day. Meaning there are around 4 million
possible tokens to be found while brute forcing and use them to pawn random accounts.
The link looks likehttps://fb.com/l/240jMqhGzXiy8 the last part is the part
that holds the token. 13 character token that resets someone’s password is 240jMqhGzXiy8.
But the bruteforce is next to impossible because of being 13 characters long,
with a mix of lower case letters (26 possibilities), upper case letters (26
possibilities), and numbers (10 possibilities, including 0). So that's 62
raised to the 13th power. That equals 200028539268669788905472 possible values
-- 200 sextillion!
But that is a true sextillion if we are looking for a
particular value, with a growing number of users resetting their passwords
there are around 4 million possibilities. If we do the math that’s a very low
percentage of capturing an actual account. But imagine if you have botnets, the
zombies, imagine a person with a great internet speed and around 1 billion zombies
that take almost an hour to capture all of the 4 mil accounts and take them
over.
Now a cleaver attacker does this, he creates an automated
script to incriminate the Facebook user ids and request a password reset to
over a billion users Facebook holds, that actually doesn’t do anything other
than send every user a token. it will help make the bruteforce less time consuming
considering we have a possibility of taking over a billion tokens and a billion
accounts. Interesting eh?
So if you have the zombies or a system performance that
effective, you can still own a lot of accounts. One
thing I then realized is to
study the nature of the token to make our bruteforce algorithm a little
effective and less time consuming, they usually start with 3 numbers then characters
to be randomized.
This should be classified as a threat, even though the probability
of exploitation is very low. Confirming the safety of the users is only by
limiting the rate by try and not just because of probability, which still puts
the users in a less probable but yet dangerous situation.
3 comments
Good attempt. I am unsure if these botnets would be allowed to create request more than once because facebook would block request looking at the UA's.
ReplyDeleteShirtam. I understand your point, I think it "should have" been very true. unfortunately for Facebook, they didn't start doing that just yet. if that was implemented, i woudnt have posted this in the first place, that should be the correct fix by blocking the number of tries from the same UA's after a number of probably ~1000 tires. ;-)
DeleteI think it is a possiblitity, I guess. they atleast should consider fixing this after a while, just because they think they will notice the upcoming requests, does not mean they shouldnt find it. ncie find!
ReplyDeleteNote: Only a member of this blog may post a comment.