Pierluigi Paganini July 14, 2013

Security expert Dan Melamed discovered a critical Facebook vulnerability would allow an attacker to take complete control over any account.

A critical Facebook vulnerability would allow an attacker to take complete control over any account, the discovery was made by Dan Melamed, a security researcher, web developer, self-employed internet marketer, and entrepreneur.

Dan was recently featured on Facebook’s Whitehat page, the researcher revealed that if the victim is logged into Facebook, to conduct that attack it is enough to induce him to visit a website link that once loaded allows the attacker to reset the victim’s password.

The Facebook vulnerability is related the “claim email address” component of the popular social network.

If a user tries to add an email address already known to the Facebook platform, he has the option to “claim it”.

The Facebook vulnerability is the leak of the check of the account that make the claim request allowing an email to be claimed by any Facebook account.

The attack technique has the following pre-requirements

• An existing account having the email address that the attacker wants to claim.
• Another existing account to initiate the claim process.

POC

When user makes a claim request for an @hotmail.com email he is taken to a link that appears like this:

https://www.facebook.com/support/openid/proxy_hotmail.php?appdata[fbid]=AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs

The researcher found that the parameter appdata[fbid] was the encrypted email address. For the proof of concept the encrypted email used was “funnyluv196@hotmail.com”. The link will redirect user to the sign in page for Hotmail.

“You must sign in with the email address that matches the encrypted parameter. Once signed in, you are taken  to a final link that looks like this:
https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026 ”

Analyzing the source code it’s possible to note that the claim email process has succeeded:

 <script type="text/javascript">window.opener.location.href = "\/claim_email\/add_email\/check_code?email=funnyluv196\u002540hotmail.com&openid=1"; window.close();</script>

Dan Melamed remarked two important aspects on the exploit of Facebook vulnerability:
– The link expires in around 3 hours, giving plenty of time for a hacker to use it.
– It can be visited on any Facebook account because there is no check to see who made this request.

To trick the victim the hacker has just to insert the following link on a webpage as either an image or an iframe

Example:

<img src=”https://www.facebook.com/support/openid/accept_hotmail.php?appdata=%7B%22fbid%22%3A%22AQ3Tcly2XEfbzuCqyhZXfb8_hYHTnHPPd-CDsvdrLzDnWLpsKTMcaXtIzV0qywEwbPs%22%7D&code=a6893043-cf19-942b-c686-1aadb8b21026″ width=”0″ height=”0″/>

inducing the victim click on it sending to the victim a link (http://evilsite.com/evilpage.html)

“Once clicked, the email (in this case: funnyluv196@hotmail.com) is instantly added to their Facebook account. The victim does not receive any notification whatsoever that this email has been added. The hacker can then reset the victim’s password using the newly added email address. Thus allowing the attacker to take complete control over the Facebook account.”

This vulnerability has been confirmed to be patched by the Facebook Security Team, fortunately the group is very responsive as demonstrated for the fix of other recent flaws. It must be considered that the popular social networking platform is very attractive for cybercrime and many other categories of attackers, cyber security is a critical aspect for its business success.

Pierluigi Paganini

(Security Affairs – Facebook vulnerability, hacking)