Oh hai o/
TL;DR: This is not your usual full disclo delivery. it’s a 4chan-style lampoon, or what we could call in French “un pamphlet 2.0”.
Excuse my French, Kudos for challenging/improving my English.
If you’re only interested in technicalities, this “vuln” can be written down to:
“FB Search/AI Injection” using “English, M**, do you speak it?”
-> Insecure Direct Object Reference + Incremental ID
-> IRL Direct Human Reference
Vuln: https://vimeo.com/179878103
PoC || GTFO: https://vimeo.com/183086660 (666 GET!!!!!!!)
▲
▲ ▲
“first they ignore you, then they threaten to sue you, then they deny the vulnerability, then you p0wn them”– with apologies to Mahatma Gandhi
Dear Facebook Op,
The main aim of this sage/FullDisclo is to convince you of one little thing: This vuln is cancer. You should fix it. Quickly.
As an InfoSec Kepo, a /b/tard and a doctor’s son, me, myself and I will show off how to disclo a vuln the “Hacker way”1 aka PoC || GTFO.
Even if I’m speaking to you and I may seem to be judging you, Please don’t take it personally. I only needed a mark - or as we say in French “un pigeon” - to QED this PoC, and I already have lawsuit to take care of o/
Let me start by saying that this ‘bug’ is ridiculous. I don’t even know how to word it differently than “having access to [X]’s public events” only by searching “events of [X]”, disregarding any “privacy protection” that you have in place.
This ‘bug’ was originally responsibly disclosed 3 months ago, worded and screencasted 2 as following:
Summary: The events method in search function seems to lack ACL rules.
Description:
By browsing the URL http://www.facebook.com/search/[entity_id]/events as an attacker, all the (public) events where the victim is interested in and going in is listed without any restriction, even if:
-> there is no friendship relationship.
-> the public profile has the event section hidden.
Risk/Impact:
I understand that Facebook has clearly stated in 3: “If you’re attending a public event, anyone on or off Facebook can see whether you’re attending. Anyone can also see the event description, photos, event wall posts and videos. There’s no way to prevent your friends from seeing the public events that you’re attending.” But this search is “user-centric”, giving the possibility for any “unfriendly person” to stalk the events that the user is attending, with potential IRL consequences.
Personal notes: Can we, pretty please with sugar, avoid the usual “It’s a feature, not a bug”? Kudos
The only response that I got was Joshua sending me back a very kind/professional “not in my backyard/go make suggestions to Engineering”. #Kudos Joshua o/
Time passed as life was not trolling me enough the following days and months, up until recently when I got a visit of one of my Tunisian friends. This genie, born in Mekka, did what every n00b or l33t in InfoSec do: go beyond 3. And found out that your entity_IDs are incremental. 4 After the usual win dance (everybody got one), He said: “I’m better than Mark, you know why? Because I know where Mark is, and he doesn’t know where I am”.
Let me just state the obvious here: Are you seriously using incremental IDs for your +1,5 billion user base? It is unreal to see that you are counting profiles like sheep. I’m #610668830 in case you’re wondering.
Can you imagine that I found the same fail n00b in a startup’s code here in Paris? This makes me wonder if you have ever got your code audited, or if u can even triforce. This is wrong in so many levels. Mainly because it’s dangerously silly and easy to sploit.
Dangerous enough to be lulz. To make a “Cyber Weapon in grugq’s scale” out of it to prove how easy it is.
▲ Code is Law
▲ ▲
Let’s be crazy enough to sploit this5.
The plan is simple: Connect to facebook, browse the events page, scrap as much data as possible, and render it in a map.
Fortunately, half of the work was already done by @stevenvo 6, and helped me leverage the power of scrapy for data crawling + BeautifulSoup for html rendering.
“All I had to do” was to dump the event page’s data from source. Then I had to read your code. It’s ugly if I may say. Because I tend to consider obfuscation as bad frustration, not protection.
Long story short, I had to handle javascript using a Splash 7 docker container, simulate a page scrolling to trigger the payload event, get the “generic.php” payload feed, get all cursors in place, THEN I could finally scrap data.
Tailoring and Parsing the right piece of info was a real pain in the ass too. I even had to use regex, which is always a bad idea in the first place.
After scraping, all I had to do is to rework and export data in RFC7946, by nicely asking Google a reverse geolocalization. The screencast 8 shows how easy it is to drag/drop and visualize your whereabouts around the bay.
To “arm” this cyberweapon, I just need to add a loop from 4 to let’s say 10k, and I’ll be granted 10k geojson files of your 10k first users. Magic, right?
Or maybe I have a person of interest? I just need to grab his/her entity_id and we’re done! Freaky, right?
N33d more l00t?
During the analysis phase, a detail got my attention 9, a P3P Header with the message: “Facebook does not have a P3P policy. Learn why here: http://fb.me/p3p";
I was amused by this, even trolled when I read the “P3P is dead” justification, but in the end astonished when I tried the “If you have questions about this policy” link. A broken one 10.
You’re not even trying to hide it anymore. You don’t give a damn. But let’s stay professional here, and suggest another reading from W3C.
Web Best Practices 11, where “Data must not infringe a person’s right to privacy”:
“Data publishers should preserve the privacy of individuals where the release of personal information would endanger safety (unintended accidents) or security (deliberate attack).”
What I’m challenging here is your perception of what should be public or private with this simple question: “Who are you to decide for billions?”
Dan Kaminsky once 12 said “data is flammable, not data is human waste”.
@jeremiahg @Hi_T_ch @ErrataRob @BrendanEich I really want to believe "data is flammable" not "data is human waste"
— Dan Kaminsky (@dakami) March 10, 2016
Yours is nuclear, and you’re aware of it. You even got a “Data God”. I can’t but even fathom what your “Data God mode” dashboards looks like. Can we haz a screenshot? <3
No matter how tall your legal/denial wall is/will be, you are morally liable to any IRL consequences of your social experiments, like IBM did. 13 #Godwin
In a word, your Harvard psychology diploma doesn’t grant you a Fifth Freedom 14 to suck data out of people online, pretexting “connecting people” to a 1984/“Free” version of Internet in India 15 & Africa 16.
▲ Data is Liability
▲ ▲
-> Why am I being pushy/hitchy about this?
Because You broke an important rule 17, perfectly worded by Confucius:
Xiào.
Disrespecting founders is not without consequences.
/b/ is not your personal army.
As a proper paranoid, Let’s conclude with the, God Forbid, legal perspectives of this full disclo.
Is your legal/PR team tempted by a murder-by-lawyer? Because I “engaged in Automated Data Collection without Facebook’s express written permission” 18? Let me then ask one question : “under whose jurisdiction?”
-> Will you be issuing a lawsuit depending on crawling ip origins? I don’t recall exactly, but I used VPNs somewhere between Italy, Canada, Russia (I’m playful), Netherlands and France. Ask for non existing logs \o/
I even had to confirm my phone number 3 times because of this. #CallMeMaybe
But let’s break it down, I’m even easing your work, being a responsible researcher. All scraping was done using the following UA:
'Mozilla/5.0 (Windows NT 6.1; rv:32.0) Gecko/20100101 Firefox/32.0 ~> 3ayn
(BB-0.8)'
-> Issuing a lawsuit in the US? I’m certainly already flagged in the US due to my name. Let alone my activities.
-> In France? You have your chances, as the last hope of protecting whistle blowers vanished recently 19 in this country.
-> Morocco, the country were I was born & raised? I’d love to see US lawyers trying to figure out Moroccan laws that even Moroccan lawyers sometimes don’t understand.
But I’d rather conclude this sage by one quote 20, hoping that you’ll find some wisdom on it:
“The processing of personal data should be designed to serve mankind. The right to the protection of personal data is not an absolute right; it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality.”
Op, please stop this non-sense and fix this cancer before it kills its host.
▲ InfoSec is limitless
▲ ▲
Cyber-Peace out