The times they are a-changin’.
This post seems to be older than 14 years—a long time on the internet. It might be outdated.
I really don’t know how much of an issue this is, but I was able to gain access to Quinn McGinnis’s Facebook account and change his stuff around (sorry Quinn).
Here’s how I did it:
- Download and install Ethereal, Firefox, and Add ‘n Edit Cookies FF extension.
- Capture packets using Ethereal
- Analyze packets for Facebook traffic, any traffic that is sent to Facebook is fine.
- You’re looking for the cookies set by Facebook that are transfered back to Facebook for verification.
- Using Firefox and AnEC, input the values for the following cookies: c_code, check_val, and c_user
- Navigate to http://facebook.com, you should automatically be logged in.
Some notes:
I did this while both Quinn and my were on a Linksys wireless router, which means that both our public facing IP address were the same. I would suspect (and hope) that Facebook ties your current session to your IP. The c_code value is 32 digits long, I would guess that it’s probably a MD5 hash, but it could also be crc32. Both are easily (and natively) implemented in PHP, which Facebook uses.
I was thinking about how this could be solved, but I couldn’t think of anything, other than just using a pure SSL session. But that wouldn’t make much sense. I’ll also be submitting this information to Facebook on Monday.
[tags]the facebook, facebook, hack, php, md5, crc32, linksys, quinn mcginnis, ethereal, firefox, add ‘n edit cookies, packet capture[/tags]
0
Sent a notice to Facebook, we’ll see if they respond.
From the Inboxen™ of Andrew Ferguson:
Hey Mr. Ferguson,
My name is Rachel C. and I read your article “Facebook Security Issue” after doing some surfing on the net because something peculiar happened yesterday as I was logging on to FB. I went to the login page and noticed that a friend of mine’s username was in the box instead of mine. Out of boredom I wanted to see how easy it would be to guess someone’s password. After only 2 guesses I had it. I wanted to see if it was a fluke or legit so I typed in someone else’s username and again after 2 guesses I was in. The strange thing about it though was after about 15 minutes the page refreshed and it asked for the password again. When I put it in …it was no longer the password. The only thing I could think of was that maybe that person had logged in and it kicked me out or that the person changed their password (but thats really far stretched considering the likelihood of the day I actually log onto someone’s account that they decided to change their password??) So to make a long story short I downloaded Ethereal, Firefox and the Add N Edit Cookies program. I would like to know whats the next step ( I know in the article you listed the next step but I need for you to explain it further. Hey I’m a biology major NOT computer science!) including the step about configering the cookies. Also, for some reason the Add N Edit Cookies program must not be compatiable to my version of firefox…can you tell me where I can get a version that is??? Again, cool article. Anxious to hear back you.
Rachel
Response after the break!
Rachel C.:
Unfortunately, I am not going to be able to help you. I posted the information on my site as a public service announcement: a way to bring to light a security issue present in Facebook. I deliberately provided enough details so that someone who knows what they are doing can replicate and confirm my findings. As you state, you are not a CompSci major, thus your interest in this security issue is not of benign value to the CompSci world. Furthermore, attempting to perform this hack without knowing what you are doing can seriously damage your computer and could lead to criminal charges against you by Facebook, your ISP or school, and even your friend whom account you are trying to maliciously break in to.
Comments are closed.