28. August 2011

Facebook UID disclosure - Start of something new

Security researchers would be well aware of the way, Facebook serves a custom page once they try to IFrame any of their pages. (Personally, I like the way they do it, you don’t have to worry about insanely wicked anti-frame busting techniques.) Unfortunately, there are some pages under the domain facebook.com which don’t do any frame busting whatsoever. Neither do they set a X-Frame-Options header.

The Vulnerability:

The one I came across was this interesting AJAX Request which responds with a JSON object, which includes the currently logged in user’s Profile UID and another Boolean value which denotes whether the user is a Facebook employee or not. So bad, that this interesting JSON response was not protected against any kind of iframing. All an attacker had to do was to do a cross-domain content extraction and he gets the visitor’s Facebook profile .

Getting the UID:

There are some few ways in leveraging this particular JSON response. One thing that came to my mind was JSON Hijacking . I felt that the modern day browsers stopped them most of the times. (Do let me know if JSON Hijacking works still) . The one I used was something inspired by the Fake Captcha technique (A neat work by Kotowicz). Though this particular attack is a hard one to exploit ,it does work most of the time.

Download the POC Code here

What if Mark Zuckerberg visited this page ?

Lets imagine that ,Mark Zuckerberg (Facebook UID=4) visits the attacker.html page, and fills in the Captcha details. Here are some Screenshots for you,

User enters the Captcha value, to prove himself

The attacker uses the UID to reveal the user information

This is my first post. Pretty noob I am.