In the year of 2014, an Nepali Security Researcher, Abhibandu Kafle, found a bug on Facebook that allows him to delete any unverified account (By unverified, he means those accounts who didnot yet verify their email address linked to facebook). Here's a little write-up on this bug by his own words.
Here is how I did it :
There is(was , now) this sign up function, which lets you create new facebook account. The twist is, when you use a facebook account that already has an account in facebook (with its email unverified), the response you get is :
When clicked on the "Insert the confirmation code instead" it lets you enter 5-digit number only code.
Pretty simple , eh?
Lets generate a dictionary from 00000 to 99999.
#!/usr/bin/env python
def add_zeros(end,tot):
zeros=''
while (len(zeros)<(len(tot)-len(end))):
zeros=zeros+'0'
return zeros+end
verification_code=5
code=''
path=raw_input(" where do you want to store your dictionary file. eg. D:\derp\foo.txt ")
loop_range=verification_code-len(code)
nines=''
for i in range(0,loop_range):
nines=nines+'9'
nine=int(nines)
fob=open(path,'w')
for i in range(0,nine+1):
j=str(i)
if len(j)<len(nines):
j=add_zeros(j,nines)
number=code+j+'\n'
fob.write(number)
fob.close()
print 'Generated and Saved!'
Now, straightforward stuff! I fired up Burp, "Swiss army knife" for me.
Notice something peculiar in the last request?
Yes, the response length changes to show that you've made the correct guess. (AJAX response in burp response says that).
Some math work :
possible password = 100,000
If , no. of requests = 100/sec
Time taken to find out "teh code" (worst case scenerio) = 15 minutes
The impact :
I could permanently delete any unverified facebook accounts within 15 minutes. You would try to recover using "password recover" feature but all your friends, PM's would be gone. You would have to create entirely new account.
All I had to do was squander my bandwidth (and sit back and relax).
How did I find out if an account was unverified?
Well, one way was to sign up using that email and see the response (if you are asked to enter confirmation code or not).
For a large number of emails, the other way was to enumerate facebook users first, to find out if the email had a facebook account and then use "Change email address field" to sort out which accounts have facebook associated with it and are still unverified.
8 hours later i got reply from Facebook Team and was patched within 3 days of submission, however they were making strange changes for about a month even after bounty payout (in their mobile platforms and mobile apps).
and a handsome bounty followed up:
Read more ...
