I’m going to explain below the theory behind the hack and some pictures showing it in action. Access to albums in Facebook is controlled by three parameters of a URL, you can see them here:
http://www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9c
aid=
id=
l=
id=
l=
The aid= parameter is the album id, id= is the userid and the l= value is a random value which serves as a very poor security control. You need to know all three of these values to access the album. The userid is easy too obtain, you can search for the user who’s album you wish to view and just hover over the add friend button, you don’t even need to click it to see a URL similar to the following:
www.facebook.com/addfriend.php?id=0123456789
The id= is the id we want, we can use this to begin building the URL to access that users album – remember we don’t need to to add them as a friend to do this.
The aid= value I thought would be quite tricky to obtain but everyones profile pictures album aid is the same. The profile pictures album always will be aid=-3, easy so far huh?
So the l= value is the thing you need to access that album, it is a fairly small “token” which is always 5 characters in size and is always taken from a small character set: 0123456789abcdef. So if we look at the parameters again, do we now know everything we need to brute force the access:
aid=-3 (-3 for every public profile album)
id=0123456789 (Obtained by searching for the user and hovering over the add friend button)
l=? (all we know is its 5 characters from the 0123456789abcdef range)
id=0123456789 (Obtained by searching for the user and hovering over the add friend button)
l=? (all we know is its 5 characters from the 0123456789abcdef range)
So we need to be able to brute force the l= parameter, time to break out my favourite testing tool – the Burp Suite. I capture a request as you can below where I have replaced the l= value with §§ which tells Burp to change this parameter only:
I have selected Custom Iterator from the payload tab and told it to use values from 0123456789abcdef and the size of the input must always be 5 characters. The Burp Suite will then make GET requests adding a new l= value each time, an unsuccessful request is shown below:
You can see that request failed so we let Burp carry on making request until we hit upon a genuine value:
The full URL which gives us access to the album can be seen below:
If we render the response in Burp you can see that is successful:
So the URL allows us to access the profile pictures album, I have copied it into a browser and accessed the picture in the next two images:
So thats it really, its very simple to carryout this hack and access anyones profile picture album. But the title of this blog post is “Access any album on any Facebook profile” not just accessing one album.
To access any album you just need to do the same as we have above but change the aid= to §§ in the Burp Suite as well and use another custom iterator using 0123456789 and always 5 characters in length. It will obviously take longer than the first hack because we are forcing two values instead of one but it will give you access to any album on any Facebook profile.
Warrning* For Educational Purpose Only
No comments:
Post a Comment