lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <787d2a91-db70-ef3d-ca68-003b6d6ea719@tolimat.com>
Date: Mon, 19 Sep 2016 04:47:45 +0200
From: "Hicham A. Tolimat" <hicham@...imat.com>
To: fulldisclosure@...lists.org
Subject: [FD] Facebook Privacy Issue - IRL Direct Human Reference

Oh hai o/

TL;DR:
This is not your usual full disclo delivery.
it's a 4chan-style lampoon, or what we could call in French "un pamphlet
2.0".

Excuse my French, Kudos for challenging/improving my English.

If you're only interested in technicalities, this "vuln" can be written
down to:

"FB Search/AI Injection" using "English, M**, do you speak it?"
-> Insecure Direct Object Reference + Incremental ID
-> IRL Direct Human Reference

Vuln: https://vimeo.com/179878103
PoC || GTFO: https://vimeo.com/183086660 (666 GET!!!!!!!)

▲
▲ ▲

"first they ignore you, then they threaten to sue you, then they deny the
vulnerability, then you p0wn them"-- with apologies to Mahatma Gandhi


Dear Facebook Op,

The main aim of this sage/FullDisclo is to convince you of one little thing:
This vuln is cancer. You should fix it. Quickly.

As an InfoSec Kepo, a /b/tard and a doctor's son, me, myself and I will
show off
how to disclo a vuln the "Hacker way"[1] aka PoC || GTFO.

Even if I'm speaking to you and I may seem to be judging you, Please don't
take it personally. I only needed a mark - or as we say in French "un
pigeon" -
to QED this PoC, and I already have lawsuit to take care of o/


1- /ignore - Responsive disclosure

Let me start by saying that this 'bug' is ridiculous.
I don't even know how to word it differently than "having access to [X]'s
public events" only by searching "events of [X]", disregarding any
"privacy protection" that you have in place.

This 'bug' was originally responsibly disclosed 3 months ago, worded and
screencasted [2] as following:
'''
Summary: The events method in search function seems to lack ACL rules.

Description:
By browsing the URL http://www.facebook.com/search/[entity_id]/events as an
attacker, all the (public) events where the victim is interested in and
going
in is listed without any restriction, even if:
-> there is no friendship relationship.
-> the public profile has the event section hidden.

Risk/Impact:
I understand that Facebook has clearly stated in [3]: "If you're attending a
public event, anyone on or off Facebook can see whether you're attending.
Anyone can also see the event description, photos, event wall posts and
videos.
There's no way to prevent your friends from seeing the public events that
you're attending."
But this search is "user-centric", giving the possibility for any
"unfriendly person" to stalk the events that the user is attending,
with potential IRL consequences.

Personal notes: Can we, pretty please with sugar, avoid the usual
"It's a feature, not a bug"? Kudos
'''

The only response that I got was Joshua sending me back a very
kind/professional
"not in my backyard/go make suggestions to Engineering". #Kudos Joshua o/

Time passed as life was not trolling me enough the following days and
months, up
until recently when I got a visit of one of my Tunisian friends.
This genie, born in Mekka, did what every n00b or l33t in InfoSec do:
go beyond 3. And found out that your entity_IDs are incremental. [4]
After the usual win dance (everybody got one), He said:
"I'm better than Mark, you know why? Because I know where Mark is,
and he doesn't know where I am".

Let me just state the obvious here: Are you seriously using incremental IDs
for your +1,5 billion user base? It is unreal to see that you are counting
profiles like sheep.
I'm #610668830 in case you're wondering.

Can you imagine that I found the same fail n00b in a startup's code here
in Paris?
This makes me wonder if you have ever got your code audited, or if u can
even triforce.
This is wrong in so many levels. Mainly because it's dangerously silly
and easy to sploit.

Dangerous enough to be lulz.
To make a "Cyber Weapon in grugq's scale" out of it to prove how easy it is.

▲ Code is Law
▲ ▲

2- /kick - PoC is kicking and alive

Let's be crazy enough to sploit this[5].

The plan is simple:
Connect to facebook, browse the events page, scrap as much data as
possible, and
render it in a map.

Fortunately, half of the work was already done by @stevenvo [6], and
helped me
leverage the power of scrapy for data crawling + BeautifulSoup for html
rendering.

"All I had to do" was to dump the event page's data from source.
Then I had to read your code. It's ugly if I may say.
Because I tend to consider obfuscation as bad frustration, not protection.

Long story short, I had to handle javascript using a Splash[7] docker
container,
simulate a page scrolling to trigger the payload event, get the
"generic.php"
payload feed, get all cursors in place, THEN I could finally scrap data.

Tailoring and Parsing the right piece of info was a real pain in the ass
too.
I even had to use regex, which is always a bad idea in the first place.

After scraping, all I had to do is to rework and export data in RFC7946,
by nicely asking Google a reverse geolocalization.
The screencast [8] shows how easy it is to drag/drop and visualize your
whereabouts around the bay.

To "arm" this cyberweapon, I just need to add a loop from 4 to let's say
10k,
and I'll be granted 10k geojson files of your 10k first users. Magic, right?

Or maybe I have a person of interest? I just need to grab his/her
entity_id and
we're done! Freaky, right?

N33d more l00t?

During the analysis phase, a detail got my attention [9], a P3P Header
with the
message: "Facebook does not have a P3P policy. Learn why here:
http://fb.me/p3p"

I was amused by this, even trolled when I read the "P3P is dead"
justification,
but in the end astonished when I tried the "If you have questions about this
policy" link. A broken one [10].

You're not even trying to hide it anymore. You don't give a damn.
But let's stay professional here, and suggest another reading from W3C.

Web Best Practices [11], where "Data must not infringe a person's right to
privacy":
"Data publishers should preserve the privacy of individuals where the
release of
personal information would endanger safety (unintended accidents) or
security
(deliberate attack)."

What I'm challenging here is your perception of what should be public or
private
with this simple question: "Who are you to decide for billions?"

Dan Kaminsky once [12] said "data is flammable, not data is human waste".
Yours is nuclear, and you're aware of it. You even got a "Data God".
I can't but even fathom what your "Data God mode" dashboards looks like.
Can we haz a screenshot? <3

No matter how tall your legal/denial wall is/will be, you are morally
liable to
any IRL consequences of your social experiments, like IBM did. [13] #Godwin

In a word, your Harvard psychology diploma doesn't grant you a Fifth Freedom
[14] to suck data out of people online, pretexting "connecting people" to a
1984/"Free" version of Internet in India [15] & Africa [16].

▲ Data is Liability
▲ ▲

3- /ban - Projections and perspectives

-> Why am I being pushy/hitchy about this?
Because You broke an important rule [17], perfectly worded by Confucius:
Xiào.
Disrespecting founders is not without consequences.
/b/ is not your personal army.

As a proper paranoid, Let's conclude with the, God Forbid, legal
perspectives of
this full disclo.

Is your legal/PR team tempted by a murder-by-lawyer? Because I "engaged in
Automated Data Collection without Facebook's express written permission"
[18]?
Let me then ask one question : "under whose jurisdiction?"

-> Will you be issuing a lawsuit depending on crawling ip origins?
I don't recall exactly, but I used VPNs somewhere between Italy, Canada,
Russia
(I'm playful), Netherlands and France. Ask for non existing logs \o/

I even had to confirm my phone number 3 times because of this. #CallMeMaybe

But let's break it down, I'm even easing your work, being a responsible
researcher.
All scraping was done using the following UA:
'Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0 ~> 3ayn
(BB-0.8)'

-> Issuing a lawsuit in the US?
I'm certainly already flagged in the US due to my name. Let alone my
activities.

-> In France?
You have your chances, as the last hope of protecting whistle blowers
vanished
recently [19] in this country.

-> Morocco, the country were I was born & raised?
I'd love to see US lawyers trying to figure out Moroccan laws that even
Moroccan
lawyers sometimes don't understand.

But I'd rather conclude this sage by one quote [20], hoping that you'll
find some
wisdom on it:

"The processing of personal data should be designed to serve mankind.
The right to the protection of personal data is not an absolute right;
it must be considered in relation to its function in society and be balanced
against other fundamental rights, in accordance with the principle of
proportionality."

Op, please stop this non-sense and fix this cancer before it kills its host.

▲ InfoSec is limitless
▲ ▲

Cyber-Peace out,
H.A.T

Ref:
[1]:  https://www.wired.com/2012/02/zuck-letter/
[2]:  https://vimeo.com/169880181
[3]:  https://www.facebook.com/help/216355421820757/
[4]:  https://vimeo.com/179878103
[5]:  https://github.com/h-a-t/StalkASS
[6]:  https://github.com/stevenvo/facebook_data_scraping
[7]:  https://splash.readthedocs.io/en/stable/
[8]:  https://vimeo.com/183086660
[9]:  https://imgur.com/a/C5V4y
[10]: https://www.facebook.com/help/contact/340002859352945
[11]: https://www.w3.org/TR/2015/WD-dwbp-20150224/#sensitive
[12]: https://twitter.com/dakami/status/707751351724351488
[13]: https://en.wikipedia.org/wiki/IBM_during_World_War_II
[14]: http://splintercell.wikia.com/wiki/Fifth_Freedom
[15]: https://www.cnet.com/news/why-india-doesnt-want-free-basics/
[16]:
https://www.theguardian.com/world/2016/aug/01/facebook-free-basics-internet-africa-mark-zuckerberg
[17]:
https://www.theguardian.com/commentisfree/2016/aug/28/tim-berners-lee-open-web-mark-zuckerberg-facebook
[18]:
https://www.facebook.com/apps/site_scraping_tos_terms.php?hc_location=ufi
[19]: (FR)
http://www.nextinpact.com/news/100172-loi-sapin-2-rejet-amendement-bluetouff-sur-failles-informatiques.htm
[20]:
http://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2016.119.01.0001.01.ENG&toc=OJ:L:2016:119:TOC


Download attachment "0xA2529CC4.asc" of type "application/pgp-keys" (38817 bytes)


_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ