I really don’t know how much of an issue this is, but I was able to gain access to Quinn McGinnis’s Facebook account and change his stuff around (sorry Quinn).
Here’s how I did it:
- Download and install Ethereal, Firefox, and Add ‘n Edit Cookies FF extension.
- Capture packets using Ethereal
- Analyze packets for Facebook traffic, any traffic that is sent to Facebook is fine.
- You’re looking for the cookies set by Facebook that are transfered back to Facebook for verification.
- Using Firefox and AnEC, input the values for the following cookies: c_code, check_val, and c_user
- Navigate to http://facebook.com, you should automatically be logged in.
I did this while both Quinn and my were on a Linksys wireless router, which means that both our public facing IP address were the same. I would suspect (and hope) that Facebook ties your current session to your IP. The c_code value is 32 digits long, I would guess that it’s probably a MD5 hash, but it could also be crc32. Both are easily (and natively) implemented in PHP, which Facebook uses.
I was thinking about how this could be solved, but I couldn’t think of anything, other than just using a pure SSL session. But that wouldn’t make much sense. I’ll also be submitting this information to Facebook on Monday.
[tags]the facebook, facebook, hack, php, md5, crc32, linksys, quinn mcginnis, ethereal, firefox, add ‘n edit cookies, packet capture[/tags]0