one link facebook (anand pandey)
DESCRIPTION
ClubHack 2011 Hacking and Security Conference.Talk - One Link FacebookSpeaker - Anand PandeyTRANSCRIPT
One Link
Access the account without restriction with just one link
Anand K. Pandey
• Social networking website
• Founded in February 2004 by Mark Zuckerberg
• Used to interact with friends, colleague and to make new friends
• Get 10 Billion hits per day
• Second most visited site
• More than 800 million active users
• More then 250 million photos are uploaded daily
• More than 900 million objects that people interact with
50
100
350
500
750
0
100
200
300
400
500
600
700
800
2007 2008 2009 2010 2011
Number of active users
Number of users (in million)
20 Minutes of Facebook
Link Shared
Event Invites
Friend Request
Accepted
Photos Uploaded
Message Sent
Tagged Photos
Status Update
Wall Posts
Comment Made
14,84,000
10,00,000
27,16,000
15,87,000 1,02,08,000
27,16,000
19,72,000
18,51,000
13,23,000
Facebook in News
• Massive hack/spam attack
• Facebook tracks users activity
• Anonymous threaten facebook
Facebook Security
• Unique Username
• Password
Facebook Security
• Check Point
Facebook Security
• Geo Location Restriction
Facebook Security
• Login review
Direct Link
• One single link
• Bypass all security points
• Username
• Password
• Check points
• Geo location restriction
Direct Link
When someone
• Comments on your photo
• Comments on your link
• Tags you
• Comments after you
Type 1
• Parameters
• pid – Photo id
• id – FB id of user who commented
• mlid – FB id of target user
• l (s52giOr8) – Secret key
http://m.facebook.com/photo.php?pid=xxxxxx&id=x
xxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx
Type 2
• Parameters
• Share_id – FB id for sharing the link
• mlid – FB id of target user
• l (s59gpZr8) – Secret key
http://m.facebook.com/story.php?share_id=xxxxxx
xxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx
Type 3
• URL Shortening
• Contain 14 character random alpha-numeric
• Use specially for shortening the magic link sent via sms when someone comments on your link
• Database of random FB accounts with magic link
http://fb.me/xxxxxxxxxxxxxx
Type 4
• URL Shortening
• Contain “id” and “l”
• Series of “x” are the FB id or user who commented on your photo
• Series of “y” is the special key
• Used specially for shortening the direct link sent via sms when someone comments on your photo
http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy
What you can do
• Brute-force or social engineer the direct URL
• Brute-force the shortened URL to hit random accounts with full access
• Remember the most important
• FB user ID (mlid)
• Secret key (l)