Disqus Shortname

Sunday, 16 February 2014

Facebook User Enumeration Vulnerability By Bypassing Brute ForceProtection

                                    Facebook User Enumeration

Hello all readers today i am going to show you that how i got user enumeration vulnerability in facebook "Facebook User Enumeration" Vulnerability

Bug Status - Reported On 3-5-2013

They said that rate limit is working according to their settings , but they reward me for co-coordinating with them about this report

Reward - $1000


Before next if you dont know about  User Enumeration Vulnerability then see below

User Enumeration is a Technique or Vulnerability which can allow an attacker to enumerate all email , user name or sensitive information about any user which is already exist in that target vulnerable web application

So lets move the our testing part

if i said about me then i didnt tried for XSS , CSRF or any other common bug .i always try to find some logical ot unique bug

so while searching this type of bugs in iphone.facebook.com this is special version for iphone users where they can browse fb on their iphone

Now here is the interesting part came
You all are know that every web application have his forgot your password and registration form
where user can reset their password and create a new account.
Lets think that what an attacker can do with this two forms..hmmmmmmmmmmmmmmmmmmm :-)

Yaa he can check that which email address are already exist in that web application by performing the Mass Brute Force Attack.

So i tried to perform this attack on iphone.facebook.com and m.facebook.com forgot your password but all know that facebook have his internal brute force detection mechanism so no once can easily perform this type of attack
as result of this attack i got that after 10 attempts facebook blocking my request so i was unable to perform this attack here.I tried to bypass it but didnt got anything there

Then finally i got a flaw its like improper request handling on iphone.facebook.com login panel for users but its likes but This behavior is intentional: it improves the usability of the site by allowing users to more easily distinguish when they've typed their email address incorrectly

Like in normal web application if you enter only email without giving password then web application will give you an error that " Please Enter Email & Password Or You Entered An Invalid Email Or Password "

but in iphone.facebook.com If i enter only email in login panel without giving password then i got an error that " We didnt recognize your email address"
This behavior is intentional: it improves the usability of the site by allowing users to more easily distinguish when they've typed their email address incorrectly
but we can enumerate the of all email address of existing email id 

200 For Non Existing & 302 For Existing Email

( 5000 Attempts ) 

                                             here i had performed 5000 attempts

You Can See The POC Video

After communicating with facebook team they said that they already have attempts limit on their web application but still they took my report valid for showing co-coordinating and manner way about this report

   Comments Are Always Welcome

No comments:

Post a Comment

Featured post

Pentesting Node.js Application : Nodejs Application Security

Pentesting Node.js Application : Nodejs Application Security Hello folks, Today we will see how we can do Pentesting Of NodeJS Appli...

Popular Posts