【转载】【漏洞分析】Facebook Email/phone disclosure using Binary search


So in December I decided to hunt on Facebook, and chose to go with the Facebook Android App

所以在12月,我决定在 Facebook 上搜索,并选择了 Facebook Android 应用

I was analyzing the Facebook app’s password recovery flow.

我正在分析 Facebook 应用的密码恢复流程。

I noticed that the following endpoint was being used.

我注意到正在使用以下端点。

When a user enters his email/phone number his email is supplied in the following manner using parameter `q`

当用户输入他的电子邮件/电话号码时,他的电子邮件以下面的方式使用参数‘ q’提供

The endpoint contained manyyyyy parameters, more than it required.

端点包含许多 yyy 参数,超过了所需的参数。

So I was eager to test what those parameters did.

所以我急于测试这些参数的作用。

I quickly noticed that although the user’s email is being carried by `q` parameter, it also contains a `qs` parameter.

我很快注意到,虽然用户的电子邮件是通过‘ q’参数进行的,但它也包含一个‘ qs’参数。

Now, incase you don’t know;
In Facebook the character `s` behind a parameter means plural.

现在,以防你不知道; 在 Facebook 中,隐藏在参数后面的字符是复数的意思。

Example:
invite_id, Plural= invite_ids
user_id, Plural=user_ids

例如: invite _ id,Plural = invite _ ids user _ id,Plural = user _ ids

I knew that in plural parameters you can supply array of data
like:
user_ids=[“UserID1”,”UserID2″]

我知道可以使用复数参数提供数据数组,比如: user _ ids = [“ UserID1”,“ UserID2”]

so I supplied data in following manner:

因此,我以下列方式提供数据:

qs=[“vicitmemail1@gmail.com”,”victimemail2@gmail.com”]

[ vicitmemail1@gmail. com,vicemail2@gmail. com ]

But it gave an error stating the array key are invalid.

但是它给出了一个错误,说明数组键是无效的。

So this wasn’t a normal array, it had its own keys.

所以这不是一个普通的数组,它有自己的键。

So after some fuzzing I finally figured out that the parameter `qs` takes the value in json wrapped format along with the keys “phone” and “email” and the values of email/phone are the ones that will be supplied as an array

所以经过一些模糊处理之后,我最终发现参数‘ qs’将以 json 包装格式获取值,同时键“ phone”和“ email”以及 email/phone 的值将作为数组提供

Example:
q=victim@gmail.com
qs={“email”:[“
victim@gmail.com”],”phone”:[“981234567890”]}

例如: q = victim@gmail. com qs = {“ email”: [“ victim@gmail. com”] ,“ phone”: [“981234567890”]}

Now,
When you supply an email in the forget password endpoint, the data belonging to you is given in the response in encrypted format.

现在,当您在忘记密码端点中提供电子邮件时,属于您的数据将以加密格式在响应中给出。

The response will contain:
your encrypted userID ,contact points etc

响应将包含: 您的加密用户标识、联系人等

Along with the data there was a value `summary` and it was set to `1`.

除了数据之外,还有一个值“汇总”,它被设置为“1”。

Initially I thought it to be a Boolean.
But turns out:

起初我以为它是一个布尔值,但结果发现:

When we supply one email in `qs`
qs={“email”:[“user1@gmail.com”]}
Data of one user is obtained in response.
hence: summary=1

当我们提供‘ qs’= {“ email”: [“ user1@gmail. com”]}一个用户的数据作为响应获得,因此: summary = 1

When we supply two emails in `qs`
qs={“email”:[“user1@gmail.com”,”user2@gmail.com”]}
Data of two users is obtained in response.
Hence: summary=2

当我们提供“ qs”= {“ email”: [“ user1@gmail. com”,“ user2@gmail. com”]中的两封电子邮件时,会得到两个用户的回复数据,因此: summary = 2

But here comes the final part:

但是最后一部分来了:

Lets say I supply:
qs={“email”:[“victim1@gmail.com”,”victim2@gmail.com]}
Data of only 1 user is obtained.

比如说我提供: qs = {”email”: [“ victimit1@gmail. com”,“ victimit2@gmail. com ]}仅获得一个用户的数据。

What does that mean?
Both the emails belong to the same user and both emails pointed to same user resulting in the response “summary”:1

这是什么意思?两封电子邮件都属于同一个用户,而且两封电子邮件都指向同一个用户,结果得到的回复是“摘要”: 1

Now, basically it was bruteforce attack scenario.

现在,基本上这是一个残暴的攻击场景。

I supply victim’s username along with a email and if the email belonged to victim the response is “summary:1”

我提供受害者的用户名和电子邮件一起,如果电子邮件属于受害者的回复是“摘要: 1”

qs={“email”:[“victimUserName”,”Email”]}

Qs = {“ Email”: [“ victimUserName”,“ Email”]}

//Yup, We can supply username in email parameter

//是的,我们可以在 email 参数中提供用户名

 

BinarySearch to the rescue

搜索救援

Bruteforce attacks are noisyyy.
But using binary search, this attack became much easier.

野蛮部队的攻击是噪音的。但是使用二进制搜索,这种攻击变得容易得多。

Refer to this video to learn about BinarySearch:

参考这个视频来了解 BinarySearch:

Since, the endpoint was accepting an array of data:
I wasn’t forced to only submit
1 username+1 email

因为,端点是接受一系列的数据: 我没有被迫只提交1个用户名 + 1个电子邮件

I could supply
1username+ 100s of email.

我可以提供1个用户名 + 100个电子邮件。

Example;

例子;

qs={“email”:[“victimUserName”,”email1@gmail.com”,”email2@gmail.com”,”email3@gmail.com”]}

Qs = {“ email”: [“ victimUserName”,“ email1@gmail. com”,“ email2@gmail. com”,“ email3@gmail. com”]}

Now if any of the email from the request belonged to vicitmUserName:

现在,如果请求中的任何电子邮件属于 vicitmUserName:

Summary=3
//Response of email1+email2+email3

3//回复邮件1 + 邮件2 + 邮件3

Else summary=4
//Response of vicitmUsername+email1+email2+email3

4///响应 vicitmUsername + email1 + email2 + email3

This made it easier to bruteforce and effectively identify any user’s private email.

这样可以更容易地强制和有效地识别任何用户的私人电子邮件。

Diagram demonstrating the binarySearch

示范 binarySearch 的图表

I also received this sweeeet response from the Facebook team,
felt good 😉

我也收到了来自 Facebook 团队的甜蜜回复,感觉很好;)

Timeline
Submitted : January 3
Triaged: February 13
Bounty $XXXX Awarded :March 22

递交时间表: 1月3日分流: 2月13日赏金: XXXX: 3月22日