Facebook Security Issue

The times they are a-changin’.

This post seems to be older than 18 years—a long time on the internet. It might be outdated.

I really don’t know how much of an issue this is, but I was able to gain access to Quinn McGinnis’s Facebook account and change his stuff around (sorry Quinn).

Here’s how I did it:

  1. Download and install Ethereal, Firefox, and Add ‘n Edit Cookies FF extension.
  2. Capture packets using Ethereal
  3. Analyze packets for Facebook traffic, any traffic that is sent to Facebook is fine.
  4. You’re looking for the cookies set by Facebook that are transfered back to Facebook for verification.
  5. Using Firefox and AnEC, input the values for the following cookies: c_code, check_val, and c_user
  6. Navigate to http://facebook.com, you should automatically be logged in.

Some notes:
I did this while both Quinn and my were on a Linksys wireless router, which means that both our public facing IP address were the same. I would suspect (and hope) that Facebook ties your current session to your IP. The c_code value is 32 digits long, I would guess that it’s probably a MD5 hash, but it could also be crc32. Both are easily (and natively) implemented in PHP, which Facebook uses.

I was thinking about how this could be solved, but I couldn’t think of anything, other than just using a pure SSL session. But that wouldn’t make much sense. I’ll also be submitting this information to Facebook on Monday.

[tags]the facebook, facebook, hack, php, md5, crc32, linksys, quinn mcginnis, ethereal, firefox, add ‘n edit cookies, packet capture[/tags]