
How I Hacked Any Facebook Account Again - goldshlager
http://www.nirgoldshlager.com/2013/03/how-i-hacked-any-facebook-accountagain.html?
======
sharkweek
As someone who is nowhere near skilled enough to do any such things, I am so
impressed with these types of posts, very interesting stuff. I can also
appreciate that you directly reported these vulnerabilities to FB.

~~~
joering2
Well, I will be skeptic.

As the past of being white hacker shows, keep hacking but shut up! Because
even if you tell the author you find a way to get into their system and you
havent cause any damage, they sure will come after you in a legal way.

In example herein, not only time after time the author proves that there are
serious holes in FB auth system, but is also very happy to blog about it. You
see, FB is publicly traded company. The management answers to stockholders and
the board. If some Joe Hacker keeps finding holes in the system, someone
somewhere reading that blog may be thinking of abandoning the FB platform due
to it security layer looking like a swiss cheese. And management doesnt like
that, because less users == less eyeballs for $.

My gut tells me, if this guy did not get offer to work for Facebook just yet,
it means they are building a lawsuit against him, as you perfectly know FB TOS
forbids anyone from fiddling with any of their URLs.

~~~
JonnieCache
_"it means they are building a lawsuit against him, as you perfectly know FB
TOS forbids anyone from fiddling with any of their URLs."_

Not true: <http://www.facebook.com/whitehat/>

~~~
joering2
_If you give us a reasonable time to respond to your report before making any
information public and make a good faith effort to avoid privacy violations,
destruction of data and interruption or degradation of our service during your
research, we will not bring any lawsuit against you or ask law enforcement to
investigate you._

Only question -- who decides on what is "reasonable time", because something
tells me its not a hacker, its Facebook itself.

~~~
rmc
"reasonable whatever" is often used in laws/courts/contracts. Lawyers and
judges are used to interpreting this. If Facebook were to sue you, you could
start talking about it as part of your defence.

Additionally, Facebook needs to be seen to be reasonable and have a proper
'whitehat' policy. If they start being mean and dictatorial here, then there
will be a breakdown in social trust. People won't report bugs to Facebook,
people will sell vulnerbilities on the black market. People will release
exploits before telling Facebook. It will, eventually be bad for Facebook.

------
c-oreills
How much bounty did this net you?

~~~
erinm
Yeah, I am puzzled why so many hackers give away their work for free (or for a
to-be-determined bounty).

Are they doing it just for fun, as a hobby, and making so much money in their
other jobs that they don't care?

~~~
vgyjh
Maybe it's because some people are genuinely good people. That, and anyone in
a collaborative field would gladly welcome beneficial tweaks to their product.
Karma.

~~~
rapind
Sure, but the beneficiary is a company, and publicly held at that. You're
alluding that the inverse is true, that not sharing exploits with a company
who's sole purpose is to accumulate money somehow makes you a bad guy. It
doesn't. That's like saying I should code for free in order to be a good guy.

------
cronin101
Nice to see the combination of a determined White Hat attacker and the
responsive FB development team ready to fix vulnerabilities.

~~~
martinced
Yes but it's sad to see yet another OAuth SNAFU.

At which point should people consider _not_ using a technology which has been
repeatedly exploited and start using something where security has been thought
about from the start?

Because we all know that the article _"How I hacked FB using OAuth a 3rd
time"_ _is_ coming...

~~~
cronin101
This isn't really a generic OAuth bug though. This stems from the fact that
you can trick the redirection scheme that Facebook uses into thinking that you
are the legitimate owner of an application whilst using your own backend-flow
URL.

This isn't going to affect 99.999% of Oauth implementations and arguably just
shows that Facebook made an error in their design.

~~~
j_s

      > trick the redirection scheme that Facebook uses into thinking that you are 
      > the legitimate owner of an application whilst using your own backend-flow URL
    

Thanks for this summary which demonstrates the importance of both effective
communication skills and reading comprehension since I didn't come up with
anything close from my dash through the blog post.

------
alpb
For those who read the article, what caused this vulnerability? An input
sanitization or a flaw of OAuth2 that other OAuth2 providers should be aware
of?

------
qwertzlcoatl
What are the odds that this has been exploited before?

------
mrb
This article renders as a blank page from Android Browser...

------
grapjas
It's called cracking

~~~
jhspaybar
I'd sure love to be told how this type of attack is any less worthy than
buffer overflows, or similar attacks upon old school systems? This guy
obviously understands where vulnerabilities can be found and is pretty good at
exposing them.

~~~
lotsofcows
Worthiness? They're all examples of cracking as well.

However, although he's cracking sites, this guy's obviously a pretty leet
hacker.

As such, "hacked" and "cracked" are equally good in the title as far as I'm
concerned.

~~~
lawnchair_larry
This is actually called hacking, not cracking. Cracking refers to removing
software protections.

~~~
leohutson
<http://www.catb.org/jargon/html/C/cracker.html>

~~~
lawnchair_larry
I'm aware of Eric S Raymond's attempt to change the definition. It's still not
correct. Nobody uses it that way other than misinformed pedants. This includes
the general public, the media, security professionals, and the people who
maliciously break into other sites. Just accept that "hacker" means both and
move on.

------
yuvadam
<meta>

Submitted 2 hours prior [1], why repost? Karma whoring? ;)

[1] - <https://news.ycombinator.com/item?id=5367908>

~~~
WillP
This one was submitted by the author.

