Sunday, December 25, 2011

Facebook security bypassed with One single link

Affected Application: Facebook.com
Exploit Platform: Remote
Impact: Full Access to Facebook profile
Severity: High
Author: Anand Pandey
Email: anandkpandey1 (at) gmail (dot) com
Video:
____________________________________________________________________

->Description:
• Accessing Facebook account with just one single link and by passing all
security mechanism implemented by Facebook for preventing unauthorised
access and provide secure login to users.
• No way to track the unauthorized access and to know that someone accessed
your account. (Unless the intruder made some changes)
____________________________________________________________________

->What it can do ?
It has the power to by pass all the security machanisms applyied by
Facebook. It will not require the username/password, won’t present you with
Check point, will not track your location (so no geographical location
based restrictions) and no login review for the user, user will not be
presented with any notification that wheather the user or some one else has
accessed his/her account, and most importantly, there will not be any
active sessions created or listed, so you will have full access to those
resources where password is not required (because you don’t have the
password), and there is no way any one can track you, unless you make a
mistake of changing the profile picture or scream loudly ?
____________________________________________________________________

->How this link is generated?
This link is generated by Facebook for those who have registered their cell
phone on Facebook to receive the notification of activity on their accounts
by SMS on phone. Facebook generates this link for the convenience of those
mobile users, and send it via SMS. You will receive a notification from
Facebook stating that XYZ have commented on your photo (with the comment
made) and a direct link to that photo. So you will not have to login every
time to view your photos for comment or for anything using that particular
link.
____________________________________________________________________

->What all notifications contain this link?
• Comment made on your photo.
• Comment on your link.
• Comment made after you on a photo or a link.
• Tagged you in photo.


Read more: Full-disclosure
QR: 084825.html

Posted via email from Jasper-Net