
How I hacked unverified Facebook accounts  - Daremasto
http://hak-it.blogspot.com/2014/05/how-i-hacked-your-unverified-facebook.html
======
rhgraysonii
I love seeing posts like this that go into the blackhat but executed properly
sort of things. The fact you exposed it, went through the bounty program, and
shared the knowledge is great. It just continues to give insight into other
firms as to how they can prevent such burning issues. Great post, thanks :)

~~~
Abhibandu
Thanks for the appreciation mate!

------
grecy
I'm surprised they didn't have some kind of request throttling to stop you
trying 100 codes a second.

~~~
Abhibandu
Exactly, mate!

------
dror
1\. Codes should be like passwords. If they're guessable, they're no good. 2\.
All operations, including signing in, verifying the account, etc should be
rate shaped. The more you try, the longer you have to wait till you can try
again.

~~~
Abhibandu
and it was missing on facebook. That was the issue

------
ecesena
Could you elaborate on the countermeasures taken? The takeaway seems to be: 1.
rate limit the "verify you email" requests, and 2. have enough entropy for the
activation codes.

Another possibility is also not to log the user in after successful activation
(i.e., mark the email as active, but don't give access to the account), but
I've never seen anyone behaving like this.

Moreover, sensitive operations, like changing settings or deleting the
account, should be password-protected (so that, even if logged in, the
attacker couldn't damage too much).

Anything else that I'm missing?

~~~
Abhibandu
Kindly refer to the comments in the post itself.

------
vrikis
I really don't get this... Maybe I'm just not clever enough, but this is
referring to verification of the email address, right?

I wonder how many users don't ever verify their email address though...
Couldn't facebook instead just make you verify it? i.e. not allow / limit use
of service until you've verified your email address?

------
lucb1e
Attempted to comment but it just clears the form without doing anything it
seems (perhaps stuck in mod queue? If so, it's invisible).

What I wanted to ask is what info Facebook wants from you before paying out,
besides your Paypal email address of course.

~~~
Marshall-scales
don't know but it must be bad coz everyone wants money these days

~~~
Abhibandu
Is "wanting money" bad? Or the write up is bad? OR the humanity is bad? Please
make yourself clearer!

------
pearjuice
What's so secret about the value of the bounty that it has to be spoilered?

~~~
Abhibandu
Privacy issues. :)

------
nikcub
you can replace your python code with:

    
    
       $ seq -w -s "\n" 99999 > outfile.txt
    

also, burp has a generator built into the intruder to create these types of
payloads. it is very powerful.

------
kevinwang
How did you delete accounts by confirming their email address?

~~~
Abhibandu
attacker gets hold of the account associated with the email. If you associated
an email with another account, the existing account was _deleted_

