tag:blogger.com,1999:blog-17964379189212898742024-03-08T06:41:21.493-08:00Hackthecops | Internet SecurityA Blog on Ethical HackingsaHhttp://www.blogger.com/profile/16488714272310913525noreply@blogger.comBlogger5125tag:blogger.com,1999:blog-1796437918921289874.post-29072769785083296332017-02-24T06:44:00.001-08:002017-05-18T02:42:00.201-07:00Facebook Bug : Disable any unverified Facebook accounts
<script>window.location.href="https://pagefault.me";</script>
<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<span style="background-color: #f6f7f9; color: #4b4f56; font-family: "helvetica" , "arial" , sans-serif; font-size: large;"><br /></span>
<span style="background-color: #f6f7f9; color: #4b4f56; font-family: "helvetica" , "arial" , sans-serif; font-size: large;"><br /></span>
<span style="background-color: #f6f7f9; color: #4b4f56; font-family: "helvetica" , "arial" , sans-serif; font-size: large;"><br /></span>
<span style="background-color: #f6f7f9; color: #4b4f56; font-family: "helvetica" , "arial" , sans-serif; font-size: large;">When a new Facebook account is created a verification code is sent to the email of the user to confirm their identity. Email contains an option to disavow the confirmation link in case the email was misused or used by someone else to create an account.</span></div>
<span style="font-size: large;"><br style="background-color: #f6f7f9; color: #4b4f56; font-family: helvetica, arial, sans-serif;" /></span>
<span style="background-color: #f6f7f9; color: #4b4f56; font-family: "helvetica" , "arial" , sans-serif; font-size: large;">The link behind "Didn't sign up for Facebook?" have a confirmation code in it, which is a 5 digit code :</span><br />
<span style="font-size: large;"><br /></span>
<br />
<div style="text-align: left;">
<span style="background-color: #f6f7f9; color: #4b4f56; font-family: "helvetica" , "arial" , sans-serif; font-size: large;"><br /></span></div>
<div style="text-align: left;">
<a href="https://www.facebook.com/confirmemail.php?e=VICTIM-EMAIL-ID&c=ANY-5-DIGIT-CODE&report=1" rel="nofollow" style="background-color: #f6f7f9; color: #365899; cursor: pointer; font-family: helvetica, arial, sans-serif; text-decoration: none;" target=""><span style="font-size: large;">https://www.facebook.com/confirmemail.php?e=EMAIL_ID&c=5-DIGIT-CODE&report=1</span></a></div>
<div style="text-align: left;">
<span style="font-size: large;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span></div>
<div style="text-align: left;">
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">The parameter "c" could be bruteforced by an attacker to find the right confirmation code and disable someone's unverified Facebook account. </span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">Facebook fixed this after it was reported to the security team.</span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;"><br /></span>
<span style="font-family: "arial" , "helvetica" , sans-serif; font-size: large;">Report sent : 29 Aug 2014</span><br />
<span style="font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Escalation : </span><span style="font-family: "arial" , "helvetica" , sans-serif;">29 Aug 2014</span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="font-size: large;">Fix : 23 October 2014</span></span><br />
<span style="font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;">Bounty awarded : </span><span style="font-family: "arial" , "helvetica" , sans-serif;">23 October 2014</span></span></div>
</div>
saHhttp://www.blogger.com/profile/16488714272310913525noreply@blogger.com0tag:blogger.com,1999:blog-1796437918921289874.post-26905838767678097872015-08-12T08:31:00.001-07:002017-05-18T02:39:32.360-07:00Security and the Internet of Things<script>window.location.href="https://pagefault.me/2015/01/15/iot/";</script>
<div dir="ltr" style="text-align: left;" trbidi="on">
Credits : <a href="mailto:zora.lopez123@gmail.com">Zora Lopez</a>
<a href="http://www.computersciencezone.org/security-internet-of-things/"><img alt="Security and the Internet of Things" border="0" src="https://www.computersciencezone.org/wp-content/uploads/2015/04/Security-and-the-Internet-of-Things.jpg" width="500" /></a><br />
Source: <a href="http://www.computersciencezone.org/">ComputerScienceZone.org</a></div>
saHhttp://www.blogger.com/profile/16488714272310913525noreply@blogger.com1tag:blogger.com,1999:blog-1796437918921289874.post-71141228760058112952015-03-26T10:16:00.000-07:002017-05-18T02:40:23.158-07:00Facebook Bug Bounty: Clickjacking
<script>window.location.href="https://pagefault.me/2015/03/26/fb-jacking/";</script>
<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="bposttitle" style="border: 0px; color: #161514; font-family: tahoma, "century gothic", arial, verdana, sans-serif; line-height: 20px; margin: 0px; outline: 0px; padding: 0px; vertical-align: baseline;">
<h2 class="post-title entry-title" style="border: 0px; font-family: georgia, "century gothic", arial, verdana, sans-serif; font-stretch: normal; font-weight: normal; line-height: 26px; margin: 5px 0px 5px 5px; outline: 0px; overflow: hidden; padding: 5px 0px; vertical-align: baseline;">
</h2>
<h2 class="post-title entry-title" style="border: 0px; font-family: georgia, "century gothic", arial, verdana, sans-serif; font-stretch: normal; font-weight: normal; line-height: 26px; margin: 5px 0px 5px 5px; outline: 0px; overflow: hidden; padding: 5px 0px; vertical-align: baseline;">
<span style="background-color: #f6f7f8; color: #373e4d; font-family: "helvetica" , "arial" , "lucida grande" , sans-serif; font-size: large; line-height: 15.36px; white-space: pre-wrap;">I have wrote about an interesting clickJacking bug I found in Facebook in a friend's <a href="http://www.paulosyibelo.com/2015/03/facebook-bug-bounty-clickjacking.html" target="_blank">blog</a>, hope you will find it useful.</span></h2>
</div>
</div>
saHhttp://www.blogger.com/profile/16488714272310913525noreply@blogger.com0tag:blogger.com,1999:blog-1796437918921289874.post-71499188083287141492014-11-06T18:12:00.001-08:002017-05-18T02:39:53.685-07:00How I hacked into Oculus VR developer Portal | PoC<script>window.location.href="https://pagefault.me/2014/11/06/oculus-hack/";</script>
<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="line-height: 23.0400009155273px; text-align: left;">
<span style="font-family: Verdana, sans-serif;"><span style="font-family: arial, helvetica, sans-serif; font-size: large;"><br /></span>
<span style="font-family: arial, helvetica, sans-serif; font-size: large;"><br /></span>
<span style="font-family: arial, helvetica, sans-serif; font-size: large;"><br /></span>
<span style="font-family: arial, helvetica, sans-serif; font-size: large;"><br /></span>
<span style="font-family: arial, helvetica, sans-serif; font-size: large;"><br /></span>
<span style="font-family: arial, helvetica, sans-serif; font-size: large;"><br /></span>
<span style="font-family: arial, helvetica, sans-serif; font-size: large;">Oculus VR - one of the Facebook acquisitions,was vulnerable to many severe issues including RCE,multiple SQL-injection,and multiple CSRFs.</span></span><br />
<span style="font-family: Verdana, sans-serif; font-size: large;">Many researchers such as Jon of Bitquark,Inti De Ceukelaire,Josip Franjković squeezed it to a more secure level.I knew that all the low hanging fruits might had gone.Nevertheless,I gave it a shot.It is my second finding on Oculus; first was something which allowed me to add anyone's email to an account and verify it without their interaction by crafting a verification link.This is also somewhat similar,which enabled me to reset someone's password and allowed to authenticate into their account.Each time I reproduced the request,got access to different accounts,which in turn changed their password as well.</span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: arial, helvetica, sans-serif; font-size: large;"><br /></span>
<span style="font-family: arial, helvetica, sans-serif; font-size: large;">After trying with many known tricks to bypass the protection there, and with zero results, an idea struck my mind. This trick used arrays in query parameters to confuse the web application and give out what I really wanted.</span></span><br />
<span style="font-family: Verdana, sans-serif;"><span style="font-family: arial, helvetica, sans-serif; font-size: large;"><br /></span>
</span><br />
<span style="font-family: Verdana, sans-serif; font-size: large;"><br /></span></div>
<div style="line-height: 23.0400009155273px; text-align: left;">
<span style="background-color: white;"><span style="font-family: Verdana, sans-serif; font-size: large;"><span style="background-color: #f3f3f3;"><br /></span>
</span></span><br />
<div class="separator" style="clear: both; text-align: center;">
<span style="background-color: white; font-family: Verdana, sans-serif; font-size: large;"><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.youtube.com/embed/01a1aProHRU?feature=player_embedded' frameborder='0'></iframe></span></div>
<span style="font-family: Verdana, sans-serif; font-size: large;"><span style="background-color: white;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"><span style="background-color: #f3f3f3;"><br /></span></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">Bingo!!!</span></span></span><br />
<span style="font-family: Verdana, sans-serif; font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;">A nice bounty followed up after it was reported to the security team.</span></span></span><br />
<span style="font-family: Verdana, sans-serif; font-size: large;"><span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white;"><br /></span></span>
<span style="background-color: white;"><span style="font-family: "arial" , "helvetica" , sans-serif; font-size: small;"></span></span></span><br />
<span style="font-family: "arial" , "helvetica" , sans-serif;"><span style="background-color: white; font-family: Verdana, sans-serif; font-size: large;">Hope you guys enjoyed it.</span></span></div>
</div>
saHhttp://www.blogger.com/profile/16488714272310913525noreply@blogger.com2tag:blogger.com,1999:blog-1796437918921289874.post-61272538124920618372013-12-07T21:10:00.001-08:002017-05-18T02:40:13.682-07:00Chat with any non-friend minors<---->Facebook Bug Bounty<script>window.location.href="https://pagefault.me/2013/12/07/possible-to-chat-with-any-minors/";</script>
<div dir="ltr" style="text-align: left;" trbidi="on">
<div>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;"><br /></span>
<span style="font-size: large;">This post is about a simple bug I found in Facebook which allowed me to chat with any non-friend minor.</span></div>
<div>
<span style="font-size: large;">It is a privacy issue where a user could send messages to a minor who is a total stranger, when they shouldn't be able to do.</span></div>
<div>
<span style="font-size: large;"><br /></span></div>
<div>
<span style="font-size: large;">According to Facebook,</span></div>
<div>
<span style="font-size: large;">Minors can receive messages only from people who are friends of friends and people who have their contact information (ex: email address or phone number). This may include adults they don’t know.</span></div>
<div>
<span style="font-size: large;"><br /></span></div>
<div>
<span style="font-size: large;">But there it was easy to send messages to a minor for an unknown adult.</span></div>
<div>
<span style="font-size: large;"><br /></span></div>
<div>
<span style="font-size: large;">For a minor who have changed his/her message preferences from Basic Filtering to Strict Filtering (for more privacy)</span></div>
<div>
<span style="font-size: large;">in privacy settings,this simple trick worked.</span></div>
<div>
<span style="font-size: large;"><br /></span></div>
<div>
<span style="font-size: large;">Do a graph check to get fbid.</span></div>
<div>
<span style="font-size: large;">http://graph.facebook.com/victim</span></div>
<div>
<br /></div>
<div>
Visit </div>
<div>
<span style="font-size: large;">https://www.facebook.com/messages/fbid of the minor</span></div>
<div>
<span style="font-size: large;"><br /></span></div>
<div>
<span style="font-size: large;">Name of the minor appeared in the field "To:"</span></div>
<div>
<span style="font-size: large;">I sent a "hi" without seeing any error as usual.</span></div>
<div>
<span style="font-size: large;">Then I logged in to minor's account to check if the message was received. The message showed up right in their inbox.</span></div>
<div>
<span style="font-size: large;"><br /></span></div>
<div>
<span style="font-size: large;">Issue was fixed and rewarded me a bounty after it was reported to the security team.</span></div>
</div>
saHhttp://www.blogger.com/profile/16488714272310913525noreply@blogger.com0