Facebook bypass of the cache servers, Check who visits your profile !
News Source : ERGIO ARCOS
Let me explain a security flaw in Facebook in relation to their cache servers, which form a layer between the Internet and internal multimedia content (photos and videos uploaded). This ruling, allows access to raw browser requests of our friends, allowing private information of these people ( web-bug ), or use as a bridge to take advantage of other external vulnerability ( CSRF ).
Facebook and intermediate layer
Many times you have seen this "use this application and find out who visits your profile, right?, Well, this will always be a fake, because Facebook is designed in a way that makes it impossible. If you look, when you go up a photo like the profile, it is resized, compressed, and stored on Facebook's own server. Actually, there are hundreds of servers, which form what is called a CDN . An example of profile photo:
https://profile.ak. fb .net/hprofile-ak-snc4/41513_1381714233_4208850_q.jpg cdn
If you go to your Facebook account, you look at the source code (Ctrl + U in Firefox), and seek the sequence `fbcdn 'will be full. And grace is this. What if you use a program like ' Tamper Data ', you will see that all requests go there.Nothing comes out.
The question is: Why? Because of this, Facebook will save many security issues (including privacy), gaining full control over who goes and where it goes (data mining). This is not a zero cost to Facebook, but it really is very costly financially.
Note that this is not the only one to do. Tuenti, for example, also has its own CRC.
The goal is to get a direct link to the outside without passing through the internal filter.
First, create a new note. The content must be at least the following code:
<img src="https://[dirección]" />
Once the note is created, you can choose who is the target of this. This is very important because it will be critical to lead the attack to a specific person or group:
Once created, if we look at the source code, we can see that was created under the direction of the CRC:
Now we can go to our wall, which has auto-created a new post, and delete it. It is no use. What you need to do is share the note manually. We also have to select with whom we share it, as we did when creating it. Fix in code that is replicated.
It sent the code is raw, not replicas made when an image or a video uploaded by the typical way, which is now embedded. Facebook is wary of the images that enter through the section notes, are "ups", not external, so do not put any extra security.
The result is as expected:
I see 2 vectors of attack, but the imagination to power .
1) Retrieve data through a web-bug. Is to place your own server dynamic file containing information (time, ip, user_agent, referer, ...) but posing as an image. Here come the power set (can) Facebook so that only leave the image on your wall, which makes it possible to count how many visitors you have (woo!).
I've done a proof of concept at the level of friends, and there have been many instances of surfing through Facebook Mobile, which is curious:
2) use the vulnerability to attack other external sites that are vulnerable to CSRF. An example would be able to operate in a bank just by making a direct call to one address, for example, https://url.ext/mover_dinero.php?de=XXX&a=XXX&cantidad=999999. Ideal for attacking survey systems, configuring the level of visibility to `foo ', and encouraging people to share. Know that it is possible to make any calls to Facebook's this building on the Referer. ERGIO ARCOS have no intention not to try.
First, reassure everyone: "It's nothing serious", as is reported, and all the data ERGIO ARCOS collected in the proof of concept are completely harmless. Facebook at this point is already protected.
I guess what struck me most is found at a site so popular and so audited, an error "so simple". ERGIO ARCOS suppose you've been lucky, but ERGIO ARCOS made illusion
On March 17 afternoon, ERGIO ARCOS sensed vulnerability. On day 18, check and found how to exploit it. ERGIO ARCOS proof of concept for 3-4 hours, and report the vulnerability to Facebook in the afternoon. Day 19 but not yet on Facebook to answer my mail, ERGIO ARCOS see this resolved. Then published the post, though ERGIO ARCOS doubt that "the report have been resolved for me." ERGIO ARCOSdo not care too.
News Source : ERGIO ARCOS