

How I Hacked Facebook’s Secure Files Transfer Service for Employees - denysonique
http://www.nirgoldshlager.com/2013/01/how-i-hacked-facebook-employees-secure.html

======
mocko
This is an example of how a competent cracker (as opposed to a script kiddie)
works. He's:

1) Identified a badly protected side entrance to use rather than the front
door

2) Painstakingly researched the third party product (similarly one could
investigate a third party library used in a bespoke codebase)

3) Figured out the adaptations the target organisation had made to it and
guessed some mistakes they'd made

4) Eventually hit on a cookie modification attack made possible by limitations
found in that publicly-available codebase.

Smart.

~~~
MojoJolo
Let's also add the fact that he reported it so that it can be fixed
immediately. :)

~~~
tripzilch
While certainly commendable, it does not make the difference between a script
kiddie and a competent cracker :)

------
MichaelGG
"This Version of ionCube was not vulnerable to a possible decryption"

Does he just mean "this version doesn't have a readily available dissassembler
yet"? Even if they chose the path of compiling to native code, if you own the
box, it can't be that hard to get the code.

~~~
maqr
I wish he'd gone down this route further. It looks like there's code at the
top of the file that "decrypts" (decodes?) the contents of the PHP file. I'd
be curious why he felt this wasn't worth reversing.

I'm also curious if there's a way to dump 'disassembled' PHP after it's been
loaded into the PHP processor. If it's going through eval() at the end, then
shouldn't the plain-text source be available in a string somewhere?

~~~
0x0
I believe these obfuscators work by forcing you to install a binary-only .so
zend extension in php.ini, which intercepts these encoded files. The files
themselves should decode to already-halfway-parsed PHP opcodes or so, which is
probably injected into the PHP/Zend virtual machine.

Figuring out the encoding scheme is probably a lot of boring disassembly work,
which in the end just lets you decode a bunch of PHP opcodes which themselves
would take a lot of work to make sense of.

But perhaps the Vulcan Logic Dumper could help out a little bit.
<http://derickrethans.nl/projects.html#vld>

------
Dylan16807
I like this but what the hell is the problem with base64?

'Still alive these day?'?

It's useful for what it does, always has been, never been a security feature.

~~~
CountHackulus
The problem is that they're using it for encryption.

~~~
Nitramp
They are using it to make sure the value doesn't interfere with the syntax of
HTTP headers, i.e. for escaping, not for encryption. That's exactly what
base64 is for. They simply have no encryption at all.

~~~
rplnt
Can email interfere with HTTP headers though? There's no \r\n, ";" or "=" in
valid email.

Anyway, I have seen sites where it was used as a security measure. Or so the
authors thought I guess. Storing login password in url parameter? Seems safe
if it is encoded.. But it was years ago.

~~~
ddunkin
It sounds like you confused encoded with encrypted, encoded is no different
than plain-text. The encoding is just to get a valid string for the URI (so a
password can contain special URI characters) and is instantly reversible.

~~~
rplnt
No, I haven't. Should have put the "security measure" in the quotes.

------
dmak
Why does an enterprise level SaaS have such weak security? It is a rookie
mistake for a company who emphasizes security.

~~~
fleitz
I don't think you've worked with many 'enterprise' level software products.
Enterprise basically means has a salesforce willing to slog through an RFP.

------
ing33k
I understand that facebook has other important things to do ,than create their
own file sharing service( for internal purpose ), but I can't stop asking this
question, why not create their own thing ?

~~~
0x0
Well you pretty much answered your own question, didn't you?

Surely it is cheaper to buy an off-the-shelf solution, instead of spending a
lot of money on wasting engineering time building and supporting a product
that is not core to their mission.

------
cool-RR
I'm confused. This looks like an interesting hack, but I don't understand
what's going on here, despite reading the post 4 times and watching the video
twice.

What is this "Password Recovery" page? Is this for emailing a person a reset
link to a password? Is it for changing your password? What is the cookie used
for? What is the flawed logic in the system?

Can anyone explain this more clearly please?

~~~
benmanns
I think the process was that a user was sent a 'forgot password' link. When
they clicked the link, they were redirected to `wmPassupdate.html` with the
cookie `referer={base64(email)}` set. Then, when users submit the password
update form, the `referer` cookie is used to authenticate them, but it can be
trivially generated.

~~~
recuter
tptacek will be shortly along to explain how password reset links are typical
and one of the most common mistakes.

How you should just "take the hit" (the cost is trivial) and store a randomly
generated nounce in your database rather then do shenanigans like encoding
user information in the url with secrets and bad cryptography and what not.

See? We listen! :)

~~~
lbotos
Do you have any examples of someone further explaining what you are
suggesting? Or if you have time, can you further elaborate on this point? I
glanced at the nounce article on wikipedia and if I understand correctly you
are suggesting:

1) user creates account (which generates nounce)

2) when password resetting via email auth via nounce.

3) when password is reset regen nounce

Is that right? Just trying to better understand what appears to be a good
approach to password resets.

~~~
recuter
Here's a recent post of somebody else channeling tptacek:
<http://news.ycombinator.com/item?id=4940291>

I got it from a quick 'password reset' search here, I recall a lot of these
discussions, if you're curios click around on a few more results. :)

------
denysonique
Here is another Facebook vulnerability, a more serious one -- a password reset
bug: [http://chingshiong.blogspot.in/2013/01/facebook-
bug-4-passwo...](http://chingshiong.blogspot.in/2013/01/facebook-
bug-4-password-reset.html)

------
secure
For a non-facebook user/employee, can someone please explain which service
that is?

~~~
davidradcliffe
Internal company file sharing.

~~~
duck
Not just internal, but external as well. Instead of emailing a large file to a
vendor, you would send them a link.

~~~
davidradcliffe
Oh true!

------
bmohlenhoff
The date in the last screenshot (19/3/2012) doesn't match the date in the rest
of the images (7/1/2013).

~~~
bradleyland
The last screenshot is a capture of Windows Media Player playing back a
desktop video capture session; basically screenshot inception. The author
provides no information on timelines, so it's likely that he found this
exploit back in March of 2012, but is just releasing the write-up now.

------
bcl
Depending on user supplied data for password changes? Not a good idea...

------
dreamdu5t
_Soon i will publish OAuth bypass in Facebook.com, Cya Next time!_

hrm?

------
el_duderino
Windows Media Player?

O_o

~~~
kingdm
What's wrong with WMP? :)

