WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
Rv defcon25 how to obtain 100 facebook accounts per day through internet searches - guillermo buendia
1. Headline Verdana Bold
How to obtain 100 Facebook
accounts per day through
Internet searches
Yael Basurto Esquivel - zkvL
Guillermo Buendia - m0m0
2. How to obtain 100 Facebook accounts per day through internet searches 2
DISCLAIMER
This vulnerability has been mitigated for the Facebook
Security Team. Facebook accounts have been only
tested with strict investigation purpose and they were
never compromised without the owner’s authorization.
3. How to obtain 100 Facebook accounts per day through internet searches 3
• About us
• Facebook Issue #331801952
• How it works
• Proof of concept
• Exploiting the vulnerability in
mass
• We got paid!
• Remediation
• What’s next?
• Contact
AGENDA
4. How to obtain 100 Facebook accounts per day through internet searches 4
About us
5. How to obtain 100 Facebook accounts per day through internet searches 5
• Penetration testers and cyber security
specialists at Deloitte Mexico.
• Hacking and security enthusiasts.
• Love to learn and break things.
• Bug bounties & CTFs noobs.
• First serious research ever!
About Us
6. How to obtain 100 Facebook accounts per day through internet searches 6
Facebook Issue #331801952
7. How to obtain 100 Facebook accounts per day through internet searches 7
• Facebook mobile application implements content through “Instant articles” – 2016
• Content from third parties can be viewed, shared, saved and so on directly in the Facebook
platform.
• We found a session hijacking vulnerability in this functionality.
• We informed through the Facebook bug bounty program – May 2016
Facebook Issue #331801952
8. How to obtain 100 Facebook accounts per day through internet searches 8
How it works
9. How to obtain 100 Facebook accounts per day through internet searches 9
• Detected when sharing links
from the Facebook mobile
application.
• Lack of proper validation in
“One Tap Login”.
• Links shared with a
session_key and an
api_key
• Allows a third party to steal
the session when opening
the link in a browser
(desktop or mobile) since the
browser asks for initiate
session as the user that
initially shared the link.
How it works
1
2
3
4
5
10. How to obtain 100 Facebook accounts per day through internet searches 10
Proof of concept
11. How to obtain 100 Facebook accounts per day through internet searches 11
Proof of concept
1. A legitimate user opens an instant
article on the mobile application.
2. The user shares it by tapping on
Share" and then Copy link“.
3. The user shares the link copied
through any social media.
3
2
1
12. How to obtain 100 Facebook accounts per day through internet searches 12
Proof of concept
4. A malicious user opens the
link and notes that the
browser asks to initiate
session as the user that
initially shared the link.
5. The malicious user accepts
and gains access to the
account.
6. Then, the malicious user can perform any
activity under the legitimate user session.
4
5
6
13. How to obtain 100 Facebook accounts per day through internet searches 13
Exploiting the vulnerability in mass
14. How to obtain 100 Facebook accounts per day through internet searches 14
Exploiting the vulnerability in mass
The problem…
https://m.facebook.com/auth.php?api_key=1
1111111111111&session_key=22222222222
22&............
15. How to obtain 100 Facebook accounts per day through internet searches 15
Exploiting the vulnerability in mass
The solution … INTERNET!
16. How to obtain 100 Facebook accounts per day through internet searches 16
But these account links in Google were too old and we needed some recent stuff,
therefore we used a real-time search within Twitter.
Exploiting the vulnerability in mass
The solution … INTERNET!
17. How to obtain 100 Facebook accounts per day through internet searches 17
Exploiting the vulnerability in mass
The solution … INTERNET!
Et voilà!
18. How to obtain 100 Facebook accounts per day through internet searches 18
Exploiting the vulnerability in mass
19. How to obtain 100 Facebook accounts per day through internet searches 19
Exploiting the vulnerability in mass
20. How to obtain 100 Facebook accounts per day through internet searches 20
Exploiting the vulnerability in mass
21. How to obtain 100 Facebook accounts per day through internet searches 21
We got paid!
22. How to obtain 100 Facebook accounts per day through internet searches 22
In June, 2016 the Facebook bug bounty
team patched the vulnerability, close the
ticket and rewarded us!!
Facebook close the ticket and we got paid!
Also, they added us to their “Wall of
fame”
23. How to obtain 100 Facebook accounts per day through internet searches 23
Remediation
24. How to obtain 100 Facebook accounts per day through internet searches 24
Facebook did not mitigate the URL shorten error, instead they have
mitigated the vulnerability present in “One Tap Login”. A redirection in
the URL with the vulnerability was implemented
“facebook.com/auth.php” so that it is no longer possible to steal a
valid session from them.
Remediation
25. How to obtain 100 Facebook accounts per day through internet searches 25
Remediation
26. How to obtain 100 Facebook accounts per day through internet searches 26
What’s next?
27. How to obtain 100 Facebook accounts per day through internet searches 27
This vulnerability could be present in others Facebook-crafted URLs.
We have seen the same URL shorten error with
“https://m.facebook.com/mobile/sso_request?d=” but it’s
been complicated to replicate the issue and the conditions for this
URL minimize the risk; however, further research could lead into
something …
What’s next?
28. How to obtain 100 Facebook accounts per day through internet searches 28
What’s next?
29. How to obtain 100 Facebook accounts per day through internet searches 29
What’s next?
30. How to obtain 100 Facebook accounts per day through internet searches 30
Contact
Yael Basurto Esquivel
Twitter: @zkvL7
Guillermo Buendía
Twitter: @bym0m0
Special thanks:
To everyone on the 19th floor, especially to:
• Abraham Vargas - @0ldbl4ck
• Lucio Adame - @_Svrtr_
who are co-authors of this vulnerability
disclosure. This work wouldn’t be possible
without their help.