G1234! - How To Obtain 100 Facebooks Accounts Per Day Through Internet Searches - Yael Basurto & Gui

hello hi thanks for coming this is our presentation I'm from Guillermo and this is yellow from Mexico City we talked about something about aa linearity who finds him in Facebook the last year this is our disclaimer this is reality has been mitigated for Facebook security team Facebook accounts has been only tested with the strictest investigation purpose and there will have never compromised without the honors authorizations and this is the agenda hello everyone in this presentation we will talk about how we found abner I will know the ability within the Facebook mobile application specifically unhappy how we tested how we reported how we got rewarded for it and we will talk also about a next steps

in possible new vulnerabilities with this kind of appease we found ok about us and we are members of cyber security team of Mexico City balls has a penetration tester and this is our first serious research we'll have security learning interesting things and breaking things for fun so we are into bug bounties and participate in cities for as first of all what the issue back in 2016 larger instant articles where our functionality from the mobile Facebook application where you can view sure and do whatever with content media content from third parties both directly in the facebook mobile applications we found in this functionality vulnerabilities hijacking save will session hijacking burner vulnerability and we reported to fail

in May 2015 okay how is he good hide works there is one ability we detected I own everything when shared links from facebook mobile application this one I ability is caused due to lack proper validation in applying when created URLs certain from Facebook instant articles it was also that some links archers with a session key and applique which allows third party to steal the session when opening the link in a browser since the browser has to initiate the session the user than initially shared the link here is a provoked concept we in the first step is when a legitimate user use this functionality of instant articles see opposed in his mobile Facebook application and then choose the layer

options interruptions and the user can copy link share it in wherever they need share it by another media source whatever in this case it was a water once it is shirt and a malicious user wherever it gets the link clicks on it in the browser asked to initiate session as the user initially share the link and this is functionalities called want employee then the malicious user can just accept and the we have the accession of the user that initially share the link but in another cell phone for instance or even a computer and then well you can do whatever you want with the account ok explode these when I will attain mass and then a sixth step it was

no easier to test the this issue since we didn't fight that one LT and was not always present when sharing the link from their Facebook application however we already knew how these shortened links were constructed and so this is the structure of of the hardening session so if you search this this URL in in Google you do have a lot of accounts it was possible to the issue to replicate several times with a lot of fiscal account in the in the world first by searching by Google it was possible to observe that it was kind common shared our links hardeneth that can be used to steal a valid session for facebook accounts this is the searching google and this is all the

cardinal URLs by simpler simple recon searches we can find this kind of urls well everywhere with the session key and the epic a cardinal on the link however we have a problem and these rings we have we found in google virtual and they didn't work anymore but and there was a solution we could we go find like these kind of links in life within twitter so use real time search with so this example we found a URL within Twitter and we have all posted in real time with minutes or hours of at most this is an example how accounts but I will compromise we could access in a way total account when you can simple it

happen okay I accept what we browser is asking and then you can impersonate the session of the user two-30 where when you can find these kind of URLs

here are some videos this is an example how search the vulnerability URLs only third seen in Twitter the parameters vulnerable so when when you search facebook.com slash out that PHP do you find these links

is were to notice that not every leak worked because the exploration tank could have a have been reached however well there were a lot of things and some of them a lot of them really works

this one for instance then you just happened in okay and you have the account okay this is an example and how do you log in with our novelty URL we prefer later are you serving interior Luciano quadric

and we only search possible we'll have the URL

so when when we land five who now link only open that link and this moment I clear my catcher and open up again the the link so the one the want Apollonian works I'm up in all their other tab in my browser this is all we see how they contain media actually opens in the browser but the user were already authenticated in our browser so we just open an errata and school sorry go to Facebook and the account of the user this these links when I was valid the there was all the the same functionality I want I'm logging and then the access to the account

well as we said before and we reported this as a facebook equality program we got rewarded by it and well we were also added to their wealth in the relation after we expose this vulnerability well they proposed a regulation yes Facebook billion mitigate should the URL error instead they have mitigate the vulnerability present in want employing a redirection in the URL with the vulnerability was implemented in facebook.com slash out that HP so that is no longer possible to still valid session the vulnerability from Harlan and URL is still present but when you open a link this link the redirects to the content media video directly and without asking you to to validate position and this is an example how

vulnerability was remedied

if you search in this moment that that's you URL you can find these these kind of links

but when you open a link these links the they don't have a session only have a redirect

okay what net affirmation and they will never really in the appeal was not litigated and the app is still create this kind of URLs some of them could be vulnerable today and we have found there are this kind of URLs craftily actually nowadays in in these shares in this content shared by all kind of media the research of these kind of things could lead us into something yes you can search as all requests and you can find something like this

if you have this disarray in time and with all the security

yes they have a one time puzzle so did you have a real is the functionality URL and you can find something probably it was a little bit harder to test it because the expiration time is really really short so even with life searches through Twitter it was really hard to find a link that actually works maybe if you automatic searches through look for them in real time in having life right now when it is posted and you can test it and if you have a valid URL this is habits what happens

first check if I have a preview session in Facebook I don't have

next I'm up in the the SSA overcast this is the composition of going

next Samaria continue what initially sure when you can find the link do you have a valid search when you just copy the link without the session and since you are not indicated you have a validation but if you replicate that URL the requests fail

that is why the owner leti is will be hard very to tell to replicate in the white

this is all the presentation do you have any questions simply I'm asking folks to ask questions over the mic is because we are live streaming so where'd it was a I heard a question back here how long did you see the session for like expiry time did they expire of repeater timer was it a permanent lifetime session for the first links it depends actually yes we we found lives like we're six months six months that were actually work valid and those we entertained and that didn't work so it was really random and that's why we have to search through there are links to find an hourly one did he find it was brick forcible or no it was just

too long the string sorry URL parameter in the ER in the URL parameter was it too long of a string tip you'd force I so in the URL parameter I'm guessing like the the session ID sort of bound to the account ID did you see that did you see possibilities of brute force of all from there it's completely auditory and there probably is in how the media inserts the session in the wink when creating a shortened link when the short URL is random yeah created randomly do you have any other questions we have time

going once going twice okay think I can I have a round of applause for these guys thank you very much [Applause]