Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to

existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile

and so much more. This message will be removed once you have signed in.

Active Hackers

The best community of active hackers. This community has been working in hacking for more than 10 years.

 

Hacker Forum

Hacker from all countries join this community to share their knowledge and their hacking tools

    Hacking Tools

    You can find thousands of tools shared by hackers. RAT's, Bot's, Crypters FUD, Stealers, Binders, Ransomware, Mallware, Virus, Cracked Accounts, Configs, Guides, Videos and many other things.

      PRIV8

      Become a Priv8 user and access all parts of the forum without restrictions and without limit of download. It only costs 100 dollars, and it will last you for a lifetime.

      Read Rules

      In this community we follow and respect rules, and they are the same for everyone, regardless of the user's rank. Read the rules well not to be prohibited.

      Sign in to follow this  
      dEEpEst

      Cómo pirateé Facebook OAuth para obtener un permiso completo en cualquier cuenta de Facebook

      Recommended Posts

      Staff

      Cómo pirateé Facebook OAuth para obtener un permiso completo en cualquier cuenta de Facebook

      Para que este exploit funcione, la víctima solo necesita visitar una página web, 
      así que OAuth es utilizado por Facebook para comunicarse entre usuarios de aplicaciones y Facebook. Usualmente los usuarios deben permitir / aceptar la solicitud para acceder a su cuenta antes de que la comunicación pueda comenzar. 

      Cualquier aplicación de Facebook puede solicitar diferentes permisos. 

      Por ejemplo: 

      Diamond Dash, Texas Holdem Poker solo tiene permiso para obtener información básica y publicar en el muro del usuario 

      . Encontré una forma de obtener permisos completos (leer en la bandeja de entrada, en la bandeja de salida, administrar páginas, administrar anuncios, leer fotos privadas, videos, etc.) sobre la cuenta de la víctima incluso sin ninguna aplicación instalada en la cuenta de la víctima,
      Otra ventaja de la falla que encontré es que no existe una "fecha de caducidad" del Token como lo habría en cualquier otro uso de la aplicación. En mi ataque el token nunca caduca a menos que la víctima cambie su contraseña . 

      Entonces, la URL del OAuth el diálogo se ve así: 

      https: //www.facebook...ERMISSION_NAMES


      Cada aplicación en Facebook tiene diferentes id_aplicaciones, por ejemplo, 'Diamante Dash' será app_id = 2, y 'Texas Holdem Poker' será app_id = 3 

      El siguiente, El parámetro redirect_uri (next =, redirect_uri =) solo acepta el dominio de la aplicación propietaria. 
      Por ejemplo, app_id = 2389801228 pertenece a la aplicación 'Texas Holdem Poker', por lo que el 'siguiente' parámetro permitirá solo el dominio zynga.com (es decir, next = http: //zynga.com),
      Si el dominio es diferente (nirgoldshlager.com) en el parámetro 'siguiente', 'redirect_uri', Facebook bloqueará esta acción, 

      Facebook realizará una coincidencia entre su app_id y su próximo parámetro, Facebook también envía el token de acceso a través de la solicitud GET al propietario aplicación después de que el usuario lo permitió, 
      ahora que sabemos cómo funciona Facebook OAuth, vamos a hablar sobre mis hallazgos, 
      comencé a pensar en mis opciones, ¿qué pasa si puedo redirigir la solicitud OAuth de la aplicación a una URL 'SIGUIENTE' diferente? Primero intenté cambiar el parámetro 'siguiente' por un dominio diferente y ellos bloquearon mi acción. 
      Luego intenté cambiar el siguiente parámetro al dominio facebook.com, y me bloquearon nuevamente con un mensaje de error general,


      Descubrí que si usa un subdominio, por ejemplo: xxx.facebook.com, Facebook permitirá esta acción, 
      pero si intenta acceder a carpetas / archivos en x.facebook.com (x.facebook.com/xx/x .php), Facebook te bloquea, 
      entonces noto que facebook.com usa un signo Hash y! allí URL (x.facebook.com/#!/xxxx), 
      traté de realizar esta acción en el siguiente parámetro (next = x.facebook.com /% 23! /), ¡y Facebook me bloqueó nuevamente !, 
      entonces intentado poner "algo" entre el signo de hash y el! (% 23x!), Y Facebook no bloqueó esta acción, 
      Parece que hay una protección Reg-ex, ¡Genial !, ¡ 

      Pero espera !, 

      si ponemos algo como esto ( https://beta.facebook.com/# xxx! / messages /), la acción no se tratará en ¡es lo mismo que #! en nuestro cliente, y no nos redirigirá a la pantalla del mensaje, 
      pensé que tenía que encontrar una manera de evitarlo, ¡así que comencé a confundir personajes entre ellos! y # para que pueda hacer que cualquier navegador (IE, CHROME, Safari, Firefox ...) lo trate como # !, ¡ 

      Ahora es el momento de difuminar !, 

      Resultado: ¡ 

      % 23 ~! (Funciona en todos los navegadores) 
      % 23% 09! (Funciona en todos los navegadores) 

      ¡Genial! Este truco funciona en touch.facebook.com/#%09!/,m.facebook.com/#~!/, o en cualquier otro móvil de Facebook, toque el dominio), 

      así que ahora yo ' puedo redirigir a la víctima a cualquier archivo / directorio en cualquier subdominio de Facebook,
      Luego creé una aplicación de Facebook que redireccionará a la víctima al sitio web externo para enviar el access_token de la víctima a mi sitio web externo "malicioso". 

      Por ejemplo: (Zynga Texas Holdem OAuth Bypass):


      https: //www.facebook...onse_type=token '> https: //www.facebook...onse_type=token 


      El siguiente parámetro se redirigirá a mi aplicación de Facebook (touch.facebook.com/apps/testestestte), 
      y mi aplicación de Facebook redireccionará a files.nirgoldshlager.com domain y guardará a la víctima access_token en un archivo de registro (files.nirgoldshlager.com/log.txt), 

      Amazing !, ahora puedo robar tokens de acceso de cualquier aplicación de Facebook, 

      ¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡Espera !! 


      AQUÍ VIENE LA REAL ACCIÓN: 

      para hacer un ataque exitoso, la víctima necesita usar una aplicación de Facebook (Texas Holdem Poker, Diamond
      Y estas aplicaciones solo tienen permisos básicos. Siempre podemos cambiar el alcance del permiso de la aplicación y establecer un nuevo permiso, pero este método no es poderoso, ya que la víctima debe aceptar los nuevos permisos de la aplicación (https: //www.facebook...s read_requests), 


      ¡quería algo más poderoso !, 

      algo que me daría todos los permisos (leer en la bandeja de entrada, en la bandeja de salida, administrar páginas, administrar anuncios, acceder a fotos privadas, videos, etc.) en la cuenta de la víctima sin ninguna aplicación instalada en la víctima y hacer que Facebook haga el Goldshake , 

      entonces comencé a pensar 
      ¿Cómo se puede hacer esto ?, 
      ¿Qué pasa si voy a usar un app_id diferente? app_id de Facebook Messenger por ejemplo, 
      ¿necesita el usuario aceptar la aplicación Facebook Messenger en su cuenta de Facebook ?, 

      la respuesta es no, 
      hay aplicaciones integradas en Facebook que los usuarios nunca deben aceptar, y esta aplicación tiene un control total sobre su cuenta,
      También encontré que este access_token nunca expiró en Facebook Messenger, 


      solo después de que la víctima cambiara su contraseña, entonces el access_token caducará, pero ¿por qué demonios el usuario cambiaría su contraseña ?, 

      PoC (funciona en todos los navegadores, no necesita instalarse) aplicación en la cuenta de la víctima): 


      https: //www.facebook...onse_type=token


      Seguridad de Facebook Corregido este error 

      Descripción completa del permiso para la aplicación de mensajería de Facebook:

      ads_management create_event create_note email export_stream manage_friendlists manage_groups manage_notifications manage_pages offline_access photo_upload publish_actions publish_checkins publish_stream read_friendlists read_insights read_mailbox read_page_mailboxes read_requests read_stream rsvp_event share_item sms status_update video_upload xmpp_login 

      Funciona también en cuentas de verificación de 2 pasos, cuando se trata de access_token, la verificación de 2 pasos fallará. 

      ¿¿¿Y??? 

      Video Tutorial

       

      Share this post


      Link to post
      Share on other sites
      Guest
      This topic is now closed to further replies.
      Sign in to follow this  

      • Similar Content

        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Facebook Chat by Elfsight is the fastest way for your clients to reach you and get their questions answered. Stay available live for users in their favourite messenger 24/7. Integrate Facebook Chat on your website and set it to appear on specific pages or for a certain groups of visitors, choose start-chat triggers, create your own welcome message, choose icons and more. With the help of Facebook chat on your site, you will stay connected anytime and from anywhere.
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Learn how to utilize Facebook Live. Boost followers, engagement, likes, traffic and grow your business very rapidly
          What you'll learn
              How to get started with Facebook Live.
              Learn how to get use to the interface and configure your settings.
              Learn how to create your first broadcast and which features to select when doing it.
              Learn how to work with the settings when broadcasting.
              How to quickly and easily schedule your live event.
              How to generate your link so you can invite people to your schedule event.
              How to use the configuration settings and organize your ideas properly before going live.
              How to broadcast live from your computer screen.
              Learn how to work with multiple things at once to speed up your time.
              Learn the different techniques involved in creating engaging live videos.
              Useful tips to become more productive when using Facebook Live.
              Learn the some hidden features within this service to speed up your work.
              Integrating your work with other applications.
              Work smarter and accomplish more by using these secret advices that only a few know about.
              Learn how to use the free OBS - Open Broadcast System for Facebook Live
          Requirements
              Please see the equipment lectures to get the most out of this course
              It's a good idea to be familiar with Facebook
          Description
          Brand New Over-The-Shoulder Video Series On How To Profit The Largest Online Audience Using Facebook Live.
          Do you want to create more engagement to sell more of your products and services?
          If the answer is a big YES...
          ...then this will be the most important letter you will ever read.
          How To Engage More?
          Use Facebook Live.
          Facebook Live helps you to connect with your audience in just a few clicks.
          Many brands use Facebook Live as Q & A sessions to engage followers in collecting feedback about their products and services.
          This kind of interaction has proved to be very effective in generating a long lasting following and setting up a platform to push products.
          Facebook Live can be a massive source of traffic for your business.
          There are so many benefits in using Facebook LIVE to build and grow your business very rapidly and if you're not using it, then you're missing out big time.
          The Biggest Audience In The
          World Today.
          Before we go any further, let me give you some insights about Facebook Live.
          Facebook live is a live video streaming platform that was developed in 2015. Originally it was meant to be used by top celebrities but then Facebook opened to the public in 2016.
          Over the years Facebook Live has become the best way of interacting with viewers in real time, field questions and get an accurate estimate on engagement.
          80% of brand audiences prefer Facebook live video to reading a blog or web articles.
          Since the roll out of Facebook Live, live stream video search has risen by over 330%.
          When Facebook Live was rolled out, Facebook paid $2.2 million to influencers which attracted a wide variety of content from different sources including large media companies and independent users.
          Top Social media influencers reported a growth of over 20% in their likes and shares just from using Facebook Live.
          Facebook Live has over 8 billion daily views. The number grew from 4 billion per day in 2015.
          People watch Live videos on Facebook 3 times more than they watch pre-recorded videos.
          Why You Need To Get Started Now:
          Facebook Live is a Cost-Effective Video Strategy
          Generate hype for your campaign and product releases
          Improve your connection with your audience using Live video
          Generate more traffic using Facebook Live
          Get real time insights on engagement and video performance
          Introducing…
          Engage More With Facebook Live
          More Followers.
          More Sales.
          There’s nothing like this video series.
          Watch as I show you how to get started with Facebook Live to gain more followers and make more sales for your products and services.
          I reveal my best tips for using some unknown tactics that only a few elite few knows.
          You get to see everything. I explain everything to you.
          There will be no guesswork.
          All you need is just a short hour of your time to learn everything and you’d be ready to get started with it instantly.
          Here’s What You’ll Discover Inside
          This Video Training:
              How to get started with Facebook Live.
              Learn how to get use to the interface and configure your settings.
              Learn how to create your first broadcast and which features to select when doing it.
              Learn how to work with the settings when broadcasting.
              How to quickly and easily schedule your live event.
              How to generate your link so you can invite people to your schedule event.
              How to use the configuration settings and organize your ideas properly before going live.
              How to broadcast live from your computer screen.
              Learn how to work with multiple things at once to speed up your time.
              Learn the different techniques involved in creating engaging live videos.
              Useful tips to become more productive when using Facebook Live.
              Learn the some hidden features within this service to speed up your work.
              Integrating your work with other applications.
              Work smarter and accomplish more by using these secret advices that only a few know about.
              Learn how to install and use OBS for Facebook Live
              And so many more...
          Who this course is for:
              Marketers who want to utilize Facebook Live to engage with their key audience in an effective way
              Marketers who want to grow their business using Facebook Live
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Facebook and Google Ads Marketing Course
          Hi my name is Joe Santos Garcia a web developer based out of NYC. I’ve worked on projects for major companies. I have a successful youtube channel with over 50,000 subscribers who love my tutorials and over 50,000 students world wide in multiple platforms. My goal is to get all my students and subscribers to level of being hired as a developer.
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. This Facebook Ads course is a step-by-step video based training on using Facebook’s advertising platform for your business, whether you want to generate traffic, sell more products or get feedback from your customers and prospects.
          You will learn to build a different ad campaigns that take advantage of Facebook’s super targeting and ultra-granular demographic options.
          What’s really cool about this course is the way I take you through building the actual campaign.
          I walk you through the process of setting up your campaign while I’m creating it. This allows you to watch me do all the work and then at the end of each video you can copy my steps to set up your own high, converting ads.
          This course is perfect if you are new to Facebook Ads or want to learn advanced strategies. I walk through how to create a Facebook ad and give tips on creating successful campaigns, so even if you are new to Facebook advertising, this course is for you!
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. What you'll learn
              Navigate the Facebook Ad Interface
              Create FB Ad campaigns for a variety of performance goals
              Write compelling headlines and ad copy
              Understand how to evaluate campaign performance
              Optimize and manage Facebook ad campaigns
          Requirements
              Only an Internet connection and an open mind!
          Description
          No matter your marketing budget, learn how to set up profitable advertising campaigns that turn prospects into customers.
          The Facebook Ad System is a premium step-by-step video training course that will turn you into a Facebook marketing pro in just a few hours.
          The Facebook Ad System will show you exactly how to:
              Advertise directly to the exact audienceinterested in your offer
              Test and tweak your campaign to make sure not a single dollar is wasted
              Quickly create powerful advertsthat grab attention, build desire, and sell
              Set up conversion tracking to measure your Return on Investment
          WHAT'S INCLUDED?
          Just under 8 hours of HD video — become a Facebook marketing pro in a weekend!
          Each lesson breaks down an important concept of Facebook marketing (with REAL examples).
          Lecture 1: Before You Spend $1 On Facebook Ads...
          Lecture 2: Using the Facebook Ad Interface
          Lecture 3: Choosing the Right Campaign Objective
          Lecture 4: Narrowing Down Your Audience and Targeting
          Lecture 5: Choosing Images and Writing Powerful Headlines
          Lecture 6: Analyzing Campaign Performance
          Lecture 7: Tracking Conversions with the Facebook Pixel
          Lecture 8: Testing and Optimizing a Real Campaign
          Lecture 9: Custom/Lookalike Audiences and Retargeting
          Lecture 10: Generating Leads with Facebook Ads
          Who this course is for:
              Anyone wishing to become an expert in running profitable Facebook Advertising campaigns
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.