Facebook Graph API Users ID (and others) Information Disclosure


# Exploit Title : Facebook Graph API Users ID (and others) Information Disclosure-    OAuthException-

# *Vendor*: Facebook.com
http://graph.facebook.com

# Author: Juan Carlos Garcia (@secnight)

# Blog:
http://hackingmadrid.blogspot.com
           


BREIF DESCRIPTION
The Graph API is the primary way that data is retrieved or posted to Facebook. The Getting Started Guide contains an overview of the basics of the API, walks you through using the Graph API Explorer, shows you how names work, how permissions work, what connections are and puts it all together so the rest of this reference make sense.

Disclosure

Anyone can access the data from ANY user due to the release of information that produces the "Graph API" because of the functionality they have given to this API for developers.
The "excess" functionality provided in this API make data users are exposed without any need for it any malicious attacker and make a compilation of information from the target
It is possible to identify people according to their id as will be seen in the proof of concept and insecure http protocol also makes it vulnerable to a brute force attack


Proof Of Concept ( PoC)

First …


As you can see, we have a “"GraphMethodException”

"error": {
"message": "Unsupported get request",
"type": "GraphMethodException",
"code": 100

Creating an OAuthException

http://graph.facebook.com/00000000000000000000000000000000000000000000
{
"error": {
"message": "(#803) Some of the aliases you requested do not exist: 00000000000000000000000000000000000",
"type": "OAuthException",
"code": 803


Mark Zuckerberg CEO Facebook


{
"id": "4",--curious … The number 4 .. Who is id 1,2,3 ;)
"name": "Mark Zuckerberg",
"first_name": "Mark",
"last_name": "Zuckerberg",
"link": "https://www.facebook.com/zuck",
"username": "zuck",
"gender": "male",
"locale": "en_US"

The Reverse
http://graph.facebook.com/4

Metadata Disclosure

This web .. WTF???

https://graph.facebook.com/172393869485449?metadata=1

https://graph.facebook.com/?ids=http://hackingmadrid.blogspot.com

but...

https://graph.facebook.com/172393869485449?metadata=2


{
   "error": {
      "message": "(#100) Param metadata must be a boolean",
      "type": "OAuthException",
      "code": 100


OK, OK ;)

https://graph.facebook.com/172393869485449?metadata=0


IDS=google

https://graph.facebook.com/?ids=google


TWITTER SHARES ? ..


{
   "https://www.twitter.com/": {
      "id": "https://www.twitter.com/",
      "shares": 1386667
   }
}


https://graph.facebook.com/?ids=https://www.twitter.com/


COOKIES

A list of cookies that were set for the user as represented in FQL. Facebook Query Language (FQL) R

Columns
Name
expires
timestamp
name
string
path
string
uid
numeric string
value
string


To access this table you only need:
  • a valid access token with basic permissions. Facebook Login makes it easy to connect with users on your app or website. You can use several methods in the JavaScript or mobile SDKs to speed up the registration process and build a functional system in minutes.


Stealing Cookies

You only need the next SQL Query to extract the cookie...

SELECT ... FROM cookies WHERE uid = A

Note: Additional filters on other columns can be specified but they may make the query less efficient.
Permissions

To access this table you ONLY need:
/Admin

"id": "100005597474065",
"name": "AD Min",
"first_name": "AD",
"last_name": "Min",
"link": "https://www.facebook.com/ad.min", https://www.facebook.com/ad.min
"username": "ad.min",
"gender": "male",
"locale": "ru_RU"
}
Procedure:Open de links given above and you can play .. No hack, No fun ;)
Brute Force ?
As you can see ..  http://graph.facebook.com .. 
IF protocol="http" 
THEN protocol.http.vulnerable=Brute.Force.Attack

Easy? I think YES !!!

All such Information Disclosures that are producing  by to the API excess functionality for the developers, make the information gathering penetration testing phase are a simple and immediate work in this social network... work easier to malicious users.

Special THANKS : Eduardo Arriols Nuñez


Entradas populares de este blog

SHELLCODES por un tubo ....

Proteger ASP.NET de inyecciones SQL How T0? BEST PRACTICES

CERTIFICACIONES DE SEGURIDAD