

I Can Detect Your Facebook Username, Using W3C Standard - homakov
http://homakov.blogspot.com/2013/02/url-detection-with-hash-history-i-know.html?

======
yason
It didn't work but I know why: I use a different browser for Facebook—not
because of these hacks but because Facebook itself is more invasive than any
of these tricks. I don't want to accidentally connect what I browser with
Facebook. I have a separate browser icon that launches:

    
    
      google-chrome --user-data-dir=/home/myaccount/.config/facebook-chrome
    

And that launches directly to Facebook. I keep Facebook stuff nicely contained
in that browser. I mostly just follow links out of Facebook. The real Chrome
never even knows that I'm on Facebook.

~~~
curiousdannii
I don't try to prevent Facebook from figuring out who I am or what I do. They
should have a huge amount of info about me, but their ads are still entirely
irrelevant.

~~~
damoncali
It's not the ads. It's the "I'm already logged into some random app and one
click away from accidentally doing something I don't want to do".

I've been using a separate browser for FB for quite a while now.

------
ansman
Isn't this the same guy who discovered the mass assignment bug in Rails last
year?

~~~
homakov
> who discovered the mass assignment bug

IMO mass assignment was discovered not last year. 2006 maybe?

------
justin_vanw
Cool story, followed link, tried example, it doesn't work at all. Either
Facebook fixed it, or it was crap.

~~~
homakov
i had a typo in PoC, now it clearly works

------
Qantourisc
Isn't it time browser implement a "safe" mode: \- Sharing cookies between
tabs? Nope, unless you personally opened it another tab, and expires as soon
as you type in a new url. \- Access or url on a different domain ... maybe,
but certainly not to localhost. \- Font access ? No \- Plugin listing ? No \-
Whatever the hell I don't know about: No. Then either allow the user to
whitelist the site, and/or allow certain parts. Would it be easy for the user?
No. Would we weed out a lot of issues? At least a few !

~~~
lucian1900
That would break way too many things to be acceptable. Web technologies are
stupidly backwards compatible.

~~~
Qantourisc
I know ... but if you are going to be backwards compatible with security
flaws/designs ... cheese ... then it's never ever going to get fixed, and I'll
stop bothering making web-apps: no security future!

------
gee_totes
But can't you also find someone's username by hiding the facepile plugin from
the user, waiting for it to load, then pulling the username once it's loaded?

~~~
homakov
Not "pulling", detecting. Vuln is not severe but it is still fun!

------
stephengillie
This doesn't actually work. After allowing the popup, it just confirmed
whatever username I put into the text box.

~~~
p4bl0
Same for me, but I also note that whatever I put in the dialog, I get
redirected to my actual Facebook page.

Also, I had to allow popups.

~~~
Dunnorandom
<https://www.facebook.com/profile.php> always links to your actual Facebook
page, so being redirected there doesn't mean the PoC is working.

~~~
p4bl0
I know I was implying it wasn't.

------
homakov
There was a typo in my code! Sorry, now updating

~~~
homakov
you can check only one username at time now. there was some caching /
navigation bug which i don't have time to polish :( also default timeout =
9000 now! Please test <http://homakov.github.com/fbdetect.html>

sorry again for buggy PoC!

------
splitbrain
Okay, maybe I was stupid but I couldn't find the link to the demo in the
article. Author posted it somewhere here in the comments:
<http://homakov.github.com/fbdetect.html>

So all this does is to check if my username matches with some preexisting
username. Its no way you can detect my username if you don't already know it.
Also even after I gave the demo my username, chrome simply blocked a popup and
the whole thing failed...

Either I don't get it or this is a lot less impressive than the title
suggests.

~~~
homakov
> chrome simply blocked a popup

blocked is ok, just wait.

i said 'detect'. you can check against predefined 10-50 list of friends

------
klapinat0r
From what I gather, it would be useful for targeted attacks - bruteforce
wouldn't really be viable if your handle takes 50 years to generate in
javascript?

Not that it's hard to get people to click links, but am I missing what's so
"nifty" about this vuln?

------
Whitespace
Didn't work for me although I was logged in to facebook. Chrome 25.0.1364.99

~~~
throwaway54-762
Same, chrome 25.0.1364.97.

~~~
homakov
guys, my bad - typo :(

~~~
throwaway54-762
WFM now =)

------
heroic
LOL, i entered my handle and it says I am not my handle!

------
aristus
www.facebook.com/whitehat/report/

First hit when you Google for [facebook report vulnerability]

~~~
homakov
1) it's minor but still fun 2) facebook is only showcase, it's basically
UNFIXABLE

------
daledavies
How much does it matter if you know my username? As long as you don't know my
password right?

------
slig
FWIW, it's still working.

~~~
homakov
it is buggy, but conception is working. the thing is THERE IS NO WAY TO FIX
IT. Because it's standard. and this is the fun part.

~~~
JSadowski
No way to fix it? Not that they should, but Facebook could just stop
redirecting www.facebook.com/profile.php to www.facebook.com/<username>

By making that change (and having no other way to hit a page that redirects to
my user page), there is no URL for the attacker to check against.

~~~
blakel
That probably breaks links though.

~~~
grey-area
Who needs to link to the current user's profile page without knowing it? Only
FB should have to do that and they know the profile page url. Other people
should be linking to the profile page directly only if they know it, not based
on which user is viewing. They should really have two profile URLs:

<http://facebook.com/profile.php> \- private profile, no redirect

<http://facebook.com/some.user.name> \- public profile (profile.php?id=123
could redirect here given an id so as not to break old links)

To fix this FB could stop doing this redirect entirely as it leaks information
about the current user's session, and should not be necessary. I'm sure it'll
break someone's links, somewhere, but it was a bad idea to begin with, and
related is this old trick which let's you view a very popular profile:

<http://facebook.com/profile.php?=112398345098345>

All that should be required is a public profile url which can be shared (if
you wish) or not, and a private profile url, and the url of the private
profile should be generic and not redirected, so that it doesn't leak info in
this way, and because it's not the same as a public profile anyway.

~~~
nadaviv
The problem with that is that different people viewing the same URL
(/profile.php) gets a different resource. What happens if someone gives a link
to his profile.php over IM or something, expecting it to show his own profile?
The URL the user is shown in the address bar should represent the current
resource being viewed.

A better solution could be to replace links to profile.php with direct links
to the real profile URL, and just kill that profile.php redirection.

~~~
grey-area
In the same way that different people viewing:

<http://facebook.com/>

see a different resource? For a web app like FB I don't think this avoidable.
All data served is dependent on who you are when you are logged in.

For another example of how to handle this better, see twitter:

twitter.com - the user's feed, content differs for each user

twitter.com/username - the user's public url, for sharing, a proper URI which
everyone can use

twitter.com/settings/profile - the user's private profile, content differs for
each user

I agree they shouldn't need that redirection with no id supplied and I suspect
it's just a legacy of the original way of showing profiles (profile.php?id=n),
they could just redirect it to root instead (shows the same as profile.php it
seems) to avoid leaking state.

------
bhushanmore
very nice

