Password reset Vulnerability in Facebook Employees Secure Files Transfer service


files.fb.com : ehack

files.fb.com : ehack

Many be many of you are not aware about this, but Facebook having a Secure Files Transfer service for their Employees at https://files.fb.com and Hacker reported a very critical password reset vulnerability.

Nir Goldshlager, a researcher told ‘The Hacker News‘ that how he defeat Facebook‘s Secure Files Transfer service and help Facebook by reporting them about this issue in a responsible non-disclosure way till patch.

After analyzing the site, he found that the script Facebook is using is actually “Accellion Secure File Sharing Service” script and so next he download the demo version of service from Accellion website and explore the source codes and file locations.

He found that, there is a user registration page also available in source, that was also on files.fb.com. Unfortunately Facebook had removed the Sign up option (link) from homepage, but forget to remove the registration page from its actual location i.e (/courier/web/1000@/wmReg.html).

So this way, Goldshlager was able to make an account on the site for further pentest. He found that the  demo source code of the service is encrypted by  ionCube PHP Encoder, and decryption of many parts of the source code was not possible by him.

Source code of a web application is like a treasure for a penetration tester, once you have source code, you can look for many critical web application vulnerabilities easily. Anyway, he drop that idea because source code is encrypted.

There is a Password Recovery page (wmPassupdate.html) also available on site, which was actually allowing anyone to reset the passwords of any account. Goldshlager notice that when one request to reset the password of his account, the page was validating the user by a cookie called “referer” that contained the email ID of same logged in user but encrypted in Base64.

Facebook Employees : ehack

Finally, Goldshlager hack the Facebook  Employees Secure Files Transfer service by tampering the values of cookies equals to the victim email ID and Password parameters. This way he was able to reset the password of Facebook Employees using this critical flaw. Flaw was reported by him and now patched by Facebook.

Video Demonstration by Nir Goldshlager–

Original post at –thehackernews

Thanks for reading. hope it might helped you.
http://ehack.thegeoadventure.com/

Advertisements

Posted on January 8, 2013, in cyber crime, ehacking, hacking, security, social media and tagged , , . Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: