Friday 14 June 2013

Hacking Any Facebook Account Exploit POC

This is my first documented Facebook vulnerability. I have a couple other vulnerabilities which I will be disclosing once they are patched by the Facebook security team. 

A critical vulnerability exists in Facebook that would allow a hacker to easily take complete control over any Facebook account. If the victim is logged into Facebook, all a hacker has to do is get the victim to visit a website link. Once the link has loaded, the attacker is able to reset the victim's password.

The vulnerability exists in the "claim email address" component of Facebook.

When a user tries to add an email address that already exists in the Facebook system, they have the option to "claim it".

When claiming an email address, Facebook did not check who the request came from. This allows an email to be claimed on any Facebook account.

In order to exploit this, you need 2 Facebook accounts.
1. An account with the email address (that you want to claim) already added to it.
2. Another account to initiate the claim process.

For example:

When making a claim request for a @hotmail.com email, you are taken to a link that looks like this:
https://www.facebook.com/support/openid/proxy_hotmail.php?appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs

Updated (July 16th):
--------------------------------------------------------------------------------------------------
Some people asked me to clarify how I got the link above, so I've added 2 new visuals below:

After the exploit was fully patched, here is what happens when you try to claim an email:


Now since I did not take a screenshot of the claim process before the patch, I will provide an edited image of what the Claim popup dialog looked like: (its not exact):

Clicking on the "Claim" button would automatically redirect you to the link above
--------------------------------------------------------------------------------------------------

I found out that this parameter appdata[fbid] was the encrypted email address. For this demonstration, the encrypted email was "funnyluv196@hotmail.com". The link will redirect you to the sign in page for Hotmail. You must sign in with the email address that matches the encrypted parameter. Once signed in, you are taken  to a final link that looks like this:
https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026

Viewing the source code will show that the claim email process has succeeded:
<script type="text/javascript">window.opener.location.href = "\/claim_email\/add_email\/check_code?email=funnyluv196\u002540hotmail.com&openid=1"; window.close();</script>
There were two important aspects which made this exploit simple.
- The link expires in around 3 hours, giving plenty of time for a hacker's use.
- It can be visited on any Facebook account because there is no check to see who made this request.

All a hacker has to do is insert this link on a webpage as either an image or an iframe. Example:
<img src="https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026" width="0" height="0"/>
 The victim is now sent a link
http://evilsite.com/evilpage.html

Once clicked, the email (in this case: funnyluv196@hotmail.com) is instantly added to their Facebook account. The victim does not receive any notification whatsoever that this email has been added.

The hacker can then reset the victim's password using the newly added email address. Thus allowing the attacker to take complete control over the Facebook account.

This vulnerability has been confirmed to be patched by the Facebook Security Team.

Video Demonstration Below:
(HD option is available.)

~Dan Melamed

About Me

I'm a security researcher. You can follow me on twitter @danmelamed

Contact

Media Inquiries:
press.danm@gmail.com

Questions or Comments
general.danm@gmail.com