Facebook bypass of the cache servers, Check who visits your profile !
News Source : ERGIO ARCOS
Summary
Let me explicate a safety flaw inwards Facebook inwards relation to their cache servers, which shape a layer betwixt the Internet together with internal multimedia content (photos together with videos uploaded). This ruling, allows access to raw browser requests of our friends, allowing individual information of these people ( web-bug ), or purpose equally a duo to lead keep payoff of other external vulnerability ( CSRF ).
Facebook together with intermediate layer
Many times yous lead keep seen this "use this application together with respect out who visits your profile, right?, Well, this volition e'er endure a fake, because Facebook is designed inwards a agency that makes it impossible. If yous look, when yous instruct upwards a photograph similar the profile, it is resized, compressed, together with stored on Facebook's ain server. Actually, in that place are hundreds of servers, which shape what is called a CDN . An illustration of profile photo:
http://profile.ak. fb .net/hprofile-ak-snc4/41513_1381714233_4208850_q.jpg cdn
If yous instruct to your Facebook account, yous aspect at the source code (Ctrl + U inwards Firefox), together with seek the sequence `fbcdn 'will endure full. And grace is this. What if yous purpose a computer programme similar ' Tamper Data ', yous volition come across that all requests instruct there.Nothing comes out.
The query is: Why? Because of this, Facebook volition relieve many safety issues (including privacy), gaining amount command over who goes together with where it goes (data mining). This is non a null terms to Facebook, but it actually is really costly financially.
Note that this is non the entirely 1 to do. Tuenti, for example, also has its ain CRC.
Process
The destination is to instruct a at nowadays link to the exterior without passing through the internal filter.
First, create a novel note. The content must endure at to the lowest degree the next code:
<img src="http://[dirección]" /> Once the banker's complaint is created, yous tin select who is the target of this. This is really of import because it volition endure critical to Pb the laid on to a specific someone or group:
Once created, if nosotros aspect at the source code, nosotros tin come across that was created nether the direction of the CRC:
:
Now nosotros tin instruct to our wall, which has auto-created a novel post, together with delete it. It is no use. What yous withdraw to practice is part the banker's complaint manually. We also lead keep to select amongst whom nosotros part it, equally nosotros did when creating it. Fix inwards code that is replicated.
It sent the code is raw, non replicas made when an icon or a video uploaded past times the typical way, which is at nowadays embedded. Facebook is wary of the images that move into through the department notes, are "ups", non external, then practice non pose whatever extra security.
The upshot is equally expected:
Utility
I come across two vectors of attack, but the imagination to power .
1) Retrieve information through a web-bug. Is to house your ain server dynamic file containing information (time, ip, user_agent, referer, ...) but posing equally an image. Here come upwards the mightiness laid (can) Facebook then that entirely instruct out the icon on your wall, which makes it possible to count how many visitors yous lead keep (woo!).
I've done a proof of concept at the marker of friends, together with in that place lead keep been many instances of surfing through Facebook Mobile, which is curious:
2) purpose the vulnerability to laid on other external sites that are vulnerable to CSRF. An illustration would endure able to move inwards a banking venture only past times making a at nowadays telephone telephone to 1 address, for example, http://url.ext/mover_dinero.php?de=XXX&a=XXX&cantidad=999999. Ideal for attacking survey systems, configuring the marker of visibility to `foo ', together with encouraging people to share. Know that it is possible to brand whatever calls to Facebook's this edifice on the Referer. ERGIO ARCOS have no intention non to try.
Endnotes
First, reassure everyone: "It's naught serious", equally is reported, together with all the information ERGIO ARCOS collected inwards the proof of concept are completely harmless. Facebook at this indicate is already protected.
I justice what struck me close is flora at a site then pop together with then audited, an mistake "so simple". ERGIO ARCOS suppose you've been lucky, but ERGIO ARCOS made illusion
Report
On March 17 afternoon, ERGIO ARCOS sensed vulnerability. On twenty-four hr menstruum 18, banking venture gibe together with flora how to exploit it. ERGIO ARCOS proof of concept for 3-4 hours, together with study the vulnerability to Facebook inwards the afternoon. Day xix but non all the same on Facebook to response my mail, ERGIO ARCOS come across this resolved. Then published the post, though ERGIO ARCOS uncertainty that "the study lead keep been resolved for me." ERGIO ARCOSdo non help too.
News Source : ERGIO ARCOS
Share This :
comment 0 Comments
more_vert