Friday, April 8, 2011

Facebook Vulnerability - Destroy Any advertisements/badges! (permission issue)

These days Facebook is one of the heaviest engine of advertising, many companies use Facebook to promote their products and even hire people to deal just with that.

I found an attack vector that can be used by any hacker to delete badges/ads from people's/companies's accounts which will cause a damage to every blog/other website
because a new bages will have a new "bid" so every website will drop the old badge.

This issue effects the Badges feature 
As for: 
Badges Home
Profile Badges
Like Badges
Photo Badges
Page Badges

Vulnerability Details:
A user uses the badges feature to share on blogger or any other place
an attacker see the bage in some website/blog:
<img src="" width="336" height="84" style="border: 0px;">
Analyzing the Picture's name:
The first number 1403380007 is the Victim's facebook owner ID
(it's easy to get this id using a simple search in facebook)
Now the middle number: 3098 is the bid(badge id) 

Now what the Attacker needs is to capture a deleting badge packet
and manipulate the "bid" and "owner_id"

POST /ajax/facebook-widgets/delete_badge.php?__a=1 HTTP/1.1
Proxy-Connection: keep-alive
X-SVN-Rev: 349667
Content-Type: application/x-www-form-urlencoded
Accept: */*
User-Agent: Mozilla/5.0 ....
Accept-Encoding: gzip,deflate,sdch
Accept-Language: en-US,en;q=0.8
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.3
Cookie: mycookie
Content-Length: 137


Then a successful badge delete will be performed on the victim's account

The Facebook Team Fixed this issue and thanked me by adding my name into the Facebook WhiteHats thank you list : Facebook Security WhiteHats

Best Regards,
Ben Hayak