I have a full plate! I would really like to write articles on a day to day basis but some times the time isn't there for all the projects I'm doing. I usually write down my ideas and try to sort through them to select wich ones are worth my time and have potential. But even if the idea is great, I do some research and it turns out to be huge it still can go in the trash can. A few month ago I discovered a hole in the standard implementation of Facebook login for third party sites! I tested it, verified that the sample code online contained the mistake but when I was ready to write the article the bug was fixed. That is to bad because it would have been an epic article!
I found out that Facebook login examples just took the e-mail registered on Facebook and then verified it against the example sites own database to see if that e-mail address had an account and if so performed a logon. That isn't to bad and are the running practice of doing a third party Facebook login. The big issue was that Facebook reported the registered e-mail address, verified or not, back over the API. So I found a number of sites where I could register a new Facebook account with the same e-mail address as my target user used on the site and then login. The user got a verification message from Facebook but the verification link didn't need to be clicked before Facebook reported that e-mail address as mine when I loged on via Facebook.
Even better was I few sites where I know my target had registered with Facebook all ready and I could still do the same attack. When I implement this type of logins I always put a flag on the user when they connect there login to Facebook with the Facebook account ID so if they try to logon with the same e-mail but with an other Facebook ID it will through an error. If you want to step it up even more you can disable "normal" login when they connect to a Facebook account the prevent issues with old forgotten weak passwords.
My favorite how ever is to connect the logon to Google account login and only allowing users with two step verification to logon!
I would like to take this opportunity to thank everyone who have commented on my articles and given me good feedback. Hopefully I will be back soon with more interesting stuff!
The error message above is in Swedish, the short version: "The e-mail address you entered isn't connected to any account in our system." So instead of telling me that my username / password combo was unsuccessful they actually help me with half the problem. If they only would have told me that the username and password combo was bad I wouldn't know if I had the correct e-mail address for the account i'm interested in. So I will just try the different e-mail addresses I know of my intended target with some bullshit password until I get "wrong password" error and then I know what e-mail they use. Really not good Facebook!
No one have missed the release of Firesheep, I hope. The new easy way to hack your way into other peoples accounts on Facebook, Twitter, WordPress, Flickr, Google and more. The exploit is a plugin for Firefox that captures network traffic and intercepts the session cookies from the sites. This isn't new to any one but it's the way it's implemented that is nice and will get people moving trying to fix there broken sites. If you can't scale up your service safely with SSL you shouldn't scale up at all. When you installed the plugin in Firefox just hit "Start Capturing" and when ever it finds a service cookie it will pop-up with the username and picture.
It's been announced that this is an axploit for unprotected wireless networks but that isn't all true. If you use a simple man in the middle attack you can capture the traffic on a wired network you got access to in your school or at your work place. There are simple ways of doing this.
- Download Cain & Able and install it! (http://www.oxid.it/cain.html)
- Download Wincap and install it! (http://www.winpcap.org/install/default.htm)
- Download Firesheep and install it, if your browser saves it as a .zip file rename it to .xpi. Then just open firefox menu "Tools" -> "Add-ons" and drag-and-drop the file into the window. (http://github.com/codebutler/firesheep/downloads)
- Read this how-to and do a man in the middle attack on your current network. (http://skateass.com/wordpress/cain-arp-poisoning-cracking-and-sniffing-passwords-and-packets/)
- Start Firefox, goto "View" -> "Sidebar" -> "Firesheep" then hit "Start Capturing". Now all the sessions created to the sites will be at your disposal.
You can even create custom site profiles in Firesheep and capture other services then the ones already in there.
What else do you want to read about? Please hit me with some comments!