1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Own Facebook Exploit - Silently Post to the Wall & Friends Walls of Visitors to Your Site

Discussion in 'FaceBook' started by crazyflx, Aug 19, 2013.

  1. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    This has NOTHING to do with clickjacking. Here is a short video demonstrating this exploit in action (I suggest you watch it in full screen HD to see the details):



    I'll preface this thread with a warning - this is a LONG thread. In addition, I'll also warn the coders out there that the code being shared here is in some places, quite sloppy. It works, but this is far from refined. And again, while it works 100%, there are some places where the implementation is a bit sloppy as well. I put this together pretty quickly and just haven't gotten around to really refining it into a "nicer" package.

    THIS ONLY WORKS IN FIREFOX - IT WILL NOT WORK IN ANY OTHER BROWSER - This is the ONLY reason I did not share this in Exec VIP, or even Jr. VIP for that matter. This limited scope of functionality is the reason you're seeing this posted here. If a mod is reading this and you feel it should be hidden, feel free to go ahead and move it as you see fit to wherever you'd like.

    Demo URL: http://crazyflx.com/fbexploit/ - YOU MUST BE LOGGED INTO FACEBOOK - I didn't feel like adding the facebook login detection to this. I might later, but at the moment, you'll have to be logged into facebook and be using FireFox to see the demo URL work correctly.

    A post is going to be made to your timeline and the timelines of all of your friends. If you're not comfortable with this, don't submit the form at the URL above.

    I'll never have direct access to your account (like the ability to log into your account for instance). I won't get your password to log into facebook.


    What Does it Do?

    If you are logged into Facebook and you're using Firefox and you browse to the demo URL, you'll be prompted to enter a captcha code. Upon submitting a correctly entered captcha code, a post will be made to your facebook timeline and the timeline of every one of your friends. You will never be prompted to give permission to an app, you won't see a popup, you won't have to do anything in fact, except enter the captcha code and submit it.


    How Does it Work?

    I'll try to be brief here. First off, we're taking advantage of an unpatched security exploit in Firefox and exploiting something that Facebook is doing. The firefox security exploit is iFraming the source code of another page. This should not be allowed to happen, and they did in fact make sure that you couldn't iframe the source code of another page like this:

    Code:
    <iframe name="foo" width="10000px" height="10000px" src="view-source:http://test.com"></iframe>
    So, they were on the right track. However, they forgot to ALSO not allow you to iframe their "firefox specific" type tabs, like, for instance, the "feed" tab. I don't know the correct verbiage for this, but you can see what I mean if instead of trying to iFrame "view-source:http://test.com" you iframe this instead: "view-source:feed:view-source:https://test.com".

    If firefox, what you'll see happen, is that I can display the source code of another site on my site...this is the first step in doing some "blackhat magic". Now, let's get back to facebook and tie that in with what we just went over.

    When you go to any website and enter information and click the "submit" button, you're submitting a form to some location. On facebook, when you fill in a post to make to your timeline, and you click "submit", that form is submitted to their site.

    What's to prevent me from simply copying those form fields (the form itself) and putting it up on my website and then filling the information in and submitting it to facebook...well, a lot actually. They have a special token that is generated for every single user that is logged into facebook. This token changes randomly and for all intents and purposes, is impossible to figure out and is unique to every single user on facebook. This token is called (on facebook) "fb_dtsg". This is their CSRF protection...CSRF stands for "cross site request forgery". In other words, that token prevents a person from submitting a form from http://NotFacebook.com to http://Facebook.com.

    However, if you were to get your hands on that token, you CAN submit a form on the token owners behalf from any website to facebook.com and it will work (NOT a cURL POST, as that happens server side and you need a LOT more info than just the CSRF token). What I mean is, you can submit a regular web form client side to facebook.com from a different URL.

    Facebook has iframing protection on their entire site using x-frame options. This iframing protection means that, at the browser level, all attempts to iframe will be stopped. However, because Facebook has all these fancy "plugins" (can be viewed here: https://developers.facebook.com/docs/plugins/ - the "like button" is an example of an FB plugin) that are allowed to be used on sites other than facebook, they have to allow iframing of certain URLs, otherwise having a likebutton on your website could never happen.

    That means that all of the plugin URLs (they start with: https://www.facebook.com/plugins/ and end with a variety of different things, all of which can be found at the fb.com/plugins URL referenced above) can be iframed. It just so happens that facebook has included the CSRF token right there in the source code of these iframe-able URLs.

    Combine this with the firefox security exploit and we've got ourselves the perfect storm of the makings of some real blackhat magic!

    Step by Step Breakdown

    Alright, I'm going to give an explanation of exactly what is happening in as few words as possible. Here is the "flow" of what happens when you arrive at the demo URL.

    You arrive at URL and are prompted to enter a captcha code. The "captcha code" that you're presented with, is actually your FB CSRF token, which is being displayed to you by iframing this URL: feed:view-source:https://www.facebook.com/plugins/registration (again, only works in firefox). That's not quite enough however, as simply iframing that URL doesn't give any control of what part of the source code is displayed. So we create an iframe on "fb-register.html" and iframe that URL.

    Then, on the page you arrive at in the demo URL, we have iframed THAT url (resulting in a double nested set of iframes). By iframing the URL we have our iFrame on, we can control what part of the source code is displayed on the URL you arrive at in the demo. So we control it to show only the CSRF token.

    You then enter the token and click submit. What happens then is a form is submitted from the demo URL to facebook.com. What form you ask? Well, the form that is normally submitted when you grant access to your facebook account to an application. You can see an example of the form that is going to be submitted on your behalf if you enter the "captcha" on the demo URL by visiting this URL directly: https://www.facebook.com/dialog/oauth?client_id=189770671194636&redirect_uri=http://crazyflx.com

    The form that is submitted when you click the "okay" button on that page is the form that is going to be submitted from my site to facebook...using the CSRF token you just provided me with. The reason we can make a PHP POST to the submission page from my site, is because that would require access to all of your FB cookies, which I don't have access to. If I simply submit a "web form" however, facebook only checks the CSRF token and if it's valid, it will generate all the rest of the required information for me since the form submission is actually happening "client side" (on your PC) and not server side (on my server).

    What happens then is you've just marked one of my facebook applications as having permission to access your account (it's basic info like name, user ID and a few other things)...however, that's not enough. That isn't going to get me a list of all your friends...and I need that list to post to their timelines.

    What I need now is to mark your account as having given access to another one of my facebook applications...but this second one will give me access to the whole enchilada...friends lists, your email, full name, birthday...literally everything.

    Unfortunately, facebook recently made it so that you have to go through more than one step to get these "elevated" application permissions...meaning more than one form submission, which we can't "fake" since that would require user interaction (and we're making all this happen silently). However, they left behind the functionality to give access to any amount of permissions you want if you clicked the "visit website" button on an app in the appcenter, like what you can see here: https://www.facebook.com/appcenter/eighttracks

    So if I have an app that has all the permissions I want and I have your CSRF token, I can "submit the form" that is submitted when you click that "visit website" button from my site and then I've got everything! However, to submit that form, I need your CSRF token AND I need your user ID (not your username, but the actual number string associated with your account). Well, because I just marked you as giving my "regular permissions" app access a moment ago, I now have access to your user ID. So, using your user ID and the CSRF token you already gave me, I'll now go ahead and submit a different form that marks you as having given my second application full permissions to post to your timeline and your friends timelines.

    Now that I've marked my two applications as having access to your account, I just need to make the posts! The first post, to your timeline, can be done using the facebook SDK since I now have a valid access token that was generated immediately upon marking you as having marked my applications as "approved".

    Unfortunately, facebook recently removed the ability for an app to post to friends timelines (as far as I know). Fortunately, since I've got your CSRF token, I can forge that form submissions too! So using my valid access token, the demo URL generates a list of all of your accounts friends ID's. It then loops through these ID's submitting form after form using the ID and your CSRF token (that you provided me with).

    How to Set it Up

    I'm going to be very brief here...not only am I tired, but it's almost more work to explain how to set it up than it is for you to just go ahead and grab the files and start playing around with it yourself. I'm obviously going to provide the files below, but there are a few things you absolutely must do first.

    Make two applications on facebook. Sign into a facebook account and go here: https://developers.facebook.com/apps?ref=mb

    Then make two applications. You can use all of the default values and name them whatever you want, it doesn't matter. After they are created, click the "edit" button for one of the apps (that will have the elevated permissions) and click on "permissions"

    Make sure you have "publish_actions" and "read_friendlists" as permissions. You can actually go ahead and add every single possible permission to it, as the more you add, the more things you can do later using only PHP code (so the person doesn't even have to be on your site and you can be posting to their account/getting their info).


    Make sure you also set the "default activity privacy" to public (this setting is also on the permissions page).

    Then, lastly, for each of these two apps, note & save the "App ID" and the "App Secret" (these can be found on the "basic" tab after you are editing an app).

    Get the Files

    I have included one download link. It downloads a zipped package that contains two folders. One folder is "php-sdk" which contains the PHP SDK as provided by facebook. The other contains a folder labelled "demo" and contains all the files needed to achieve what you see on the demo URL and everything that is gone over above.

    You should upload both of these folders to the root of your site so you can access the by going to: http://yoursite.com/php-sdk & http://yoursite.com/demo

    Download Link: http://www.mediafire.com/download/4ur8z309ewdx022/folders.rar

    You'll have to edit the following files in the demo folder:

    CHANGE APP ID VALUE IN FRIENDS-POST.PHP
    CHANGE APP ID AND APP SECRET IN POST.PHP
    CHANGE APP ID IN GRANT-READ & GRANT-WRITE PERMISSIONS.HTML FILES
    CHAGE APP ID & APP SECRET IN URLS IN TOKEN.PHP

    I have tried to designate in each of the files, using long strings of XXXXXXXX where you need to replace the app ID's & app secrets. You're also going to have to replace any instance of "crazyflx.com/fbexploit" with your site and the folder you uploaded the files in the demo folder to.

    As Always, Any Questions - Fire Away! Enjoy!
     
    • Thanks Thanks x 73
    Last edited by a moderator: May 18, 2016
  2. Asif WILSON Khan

    Asif WILSON Khan Executive VIP Premium Member

    Joined:
    Nov 10, 2012
    Messages:
    10,112
    Likes Received:
    28,526
    Gender:
    Male
    Occupation:
    Fun Lovin' Criminal
    Location:
    London
    Home Page:
    Another awesome share. You have been posting some really interesting threads. Thanks
     
  3. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    Thanks a lot, much appreciated! Hopefully it makes you some money, haha.
     
  4. DarkPixel

    DarkPixel Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 4, 2011
    Messages:
    1,328
    Likes Received:
    1,239
    Location:
    ↓↓↓↓
    Home Page:
    This is one of the best shares I have seen. Good job man. :)
     
    • Thanks Thanks x 1
  5. Goal Line Technology

    Goal Line Technology Senior Member

    Joined:
    Dec 30, 2011
    Messages:
    929
    Likes Received:
    2,157
    You sir are a genius :)
    Thanks +reps
    Cheers
     
  6. derago21

    derago21 Jr. VIP Jr. VIP Premium Member

    Joined:
    Oct 24, 2010
    Messages:
    2,371
    Likes Received:
    1,191
    Gender:
    Male
    Occupation:
    Backlinker
    Location:
    Your Brain
    Crazy Stuff Crazyflix :)
     
  7. Bestcreaters

    Bestcreaters Power Member

    Joined:
    Jul 10, 2013
    Messages:
    605
    Likes Received:
    259
    Occupation:
    money maker
    Location:
    Making Money is important
    nice share op
     
  8. crazyflx

    crazyflx Elite Member

    Joined:
    Nov 9, 2009
    Messages:
    1,674
    Likes Received:
    4,825
    Location:
    http://CRAZYFLX.COM
    Home Page:
    Big thanks to all of you guys, really.

    The great community here is really one of my biggest motivators for sharing things.

    Long live BHW! lol
     
    • Thanks Thanks x 1
  9. N1KITA

    N1KITA Junior Member

    Joined:
    Jun 15, 2013
    Messages:
    116
    Likes Received:
    28
    Occupation:
    Student
    Location:
    Kosovo
    Will I get banned if I post to all my friends ? I have total 1.5k friends
     
  10. Leith

    Leith Jr. Executive VIP Jr. VIP Premium Member

    Joined:
    Oct 30, 2011
    Messages:
    5,377
    Likes Received:
    8,559
    Great share!
     
  11. sanjai

    sanjai Newbie

    Joined:
    Feb 17, 2013
    Messages:
    17
    Likes Received:
    2
    Location:
    India
    If I use this script and post in friends wall, fb won't ban my account?
     
  12. SeoWrecker

    SeoWrecker Jr. VIP Jr. VIP Premium Member

    Joined:
    Jul 16, 2012
    Messages:
    1,593
    Likes Received:
    1,460
    Location:
    Doesn't matter
    gotta make full use of it before it is fixed :p thanks OP
     
  13. N1KITA

    N1KITA Junior Member

    Joined:
    Jun 15, 2013
    Messages:
    116
    Likes Received:
    28
    Occupation:
    Student
    Location:
    Kosovo
    I am getting this error : You Entered the Code Incorrectly - Please Try Again
     
  14. joshua56

    joshua56 Newbie

    Joined:
    Jan 13, 2013
    Messages:
    7
    Likes Received:
    0
    great share how do get famous off of it
     
  15. ShOwA

    ShOwA Regular Member

    Joined:
    Feb 7, 2010
    Messages:
    300
    Likes Received:
    69
    Amazing!!!!
    +++rep mate! ;)
     
  16. RushingWind

    RushingWind Elite Member

    Joined:
    Apr 6, 2013
    Messages:
    2,416
    Likes Received:
    3,333
    Quite interesting indeed. I will have to try this out for myself.
    Thanks,
    RW.
     
  17. manolo12399

    manolo12399 Senior Member

    Joined:
    Jan 3, 2009
    Messages:
    818
    Likes Received:
    161
    just an heads up, but the captcha code doesnt show up on that spot probabily the line is longer
     
  18. anilpendu

    anilpendu Jr. VIP Jr. VIP Premium Member

    Joined:
    Aug 20, 2012
    Messages:
    1,145
    Likes Received:
    845
    Occupation:
    Student
    Home Page:
  19. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,062
    Likes Received:
    2,872
    Gender:
    Male
    That's great stuff man :)
    Thanks a lot!
     
  20. at0m0

    at0m0 Newbie

    Joined:
    Aug 12, 2013
    Messages:
    23
    Likes Received:
    4
    thanks so much,

    but when I try it I get this

    "You Entered the Code Incorrectly - Please Try Again"

    What am I missing?
     
    Last edited: Aug 19, 2013