 Good afternoon everyone and today's next talk is how to obtain 100 Facebook accounts per day through internet searches and the speakers will be Guillermo and Yael, right? Both of them are pen testers and security researchers and they will be sharing the experience with you. Thank you. Over to you, Bay. Thank you. Hello everybody. Thanks for coming. I'm Guillermo and this is Yael and we are percent have obtained 100 Facebook accounts search per day through internet searches. This is our disclaimer and this is the agenda. Hello. Hey. Well in this talk we will talk about vulnerability we found last year within the Facebook platform specifically the mobile Facebook application and we will talk about how we discovered how we reported and we got regarded by it. So we'll talk about the remediation Facebook implemented and possible next steps to test another vulnerable application. Okay. This is about us. We are members of the Lloyd's our security team in Mexico City both as a penetration tester and this is our first serious research. We love security learn interesting things and breaking things for fun. So we are into book bounties and participate in through CTFs for hobby. First of all, you're using... Okay. First of all, the issue was found in the instant articles functionality. Back in 2016, Facebook implemented this functionality where you can view content directly within the app and within the application of Facebook without opening the content in another browser. For instance, you can view this content, share it and copy it and whatever. With this functionality, we found a set of high active vulnerability and we inform it to Facebook through his book bounties program. Okay. And how it works. We detect a vulnerability when shared links from Facebook mobile application. This vulnerability is caused to do lack of proper validation in what tap in loading. When created URL shorting from Facebook is an article, you can see in this image how some person shared a link in Facebook. It was observed that some links are shared with a session key and a P key which allows a third party to steal a session when opening the link in a browser. Since the browser has to initiate session as the user then initiality shared the link. The proof of concept we performed was more or less what Guillermo has already explained. The process is as follows. A legitimate user using his mobile Facebook application is searching content, he observes something that he likes and he opens the... It's an article. He clicks on the options button. He can then copy the link, share it, opening the browser and whatever. But if this user shared the link through any content media or any message, for instance, what's up this time. A malicious user can open this link in another phone for instance or another computer and the browser has immediately to initiate session as the first user that initially shared the link. This happens because of the functionality of one tab loading from Facebook and the problem was that when the instant article creates the short link to share the media, it contains a valid session from the first user. So by clicking just in the browser, the malicious user can access the account of the first user. Okay. And how exploit this vulnerability in mass? It was not easy to test this issue when identified the vulnerability because it's not always present when sharing the link from the Facebook mobile application. However, we already knew how the short link works construct and its content. So if you see, this is the structure of our vulnerability link. You can see api key and session key. So the solution, it was the Internet. It was possible to replicate this issue several times with a lot of Facebook accounts on the web. First, by searching in Google, it was possible to observe that it's quite common to share links on Herden that can to be used a valid session from Facebook accounts. This is an exact search in Google. You can see a lot of links, but we had a problem with this. Work five, some links past six months, but other links were too old. So we need some recent stuff, and before we use a real-time search in Twitter. When we use real-time Twitter index and searches, we obtain a lot of valid links. Around 100 links valid per day. The problem with these kind of links is that they not always work. They have an expiration issue. So we need to look for them in kind of real-time through searches, this time using Twitter. But not all of the links were valid to the session. However, we found a lot, really a lot of links that were actually valid. And this kind of links includes all kind of people from users to politicians even. Okay, and now a couple of videos from this vulnerability. First, we see how to search our vulnerability links. We use Twitter in order to get these links that were shared like within one to two days tops. And even those links were not always valid. However, you can find them like a lot within the application. So we use Twitter to look for these kinds of URLs. In this moment, always searching in Twitter. Only the structure facebook.com slash out.php. And we found a lot of links with this structure. The first link, for instance, was not valid. He didn't open one of the links session. And even without the content. But this one was not valid. So by clicking OK, we could have the content of this person. In the next video, we see how to obtain a valid session with these links. Here is the proof of concept. When we perfect a user, we can look for these kinds of URLs with his content media. Can be Twitter, Facebook, through Google searches, and wherever. We found the link that has this kind of structure. This user compare, share a link, a valid link. But in this moment, I delete my cache in my browser. And then I open the link again. We obtain one type login, and then we obtain a valid session for that user. The valid session is loaded already in the browser, so it just takes to the page group. Which mobile browser are you using? Chrome. Chrome? Yeah. Do you have any other browsers? Yeah. In addition, in the computer, you see Firefox and Chrome. Just those two? Yeah. No other browser? Safari. We tested in Safari, but we didn't click in OK. Desktop? Desktop. Desktop works. Yeah. They work with both? Yeah. Actually, it doesn't matter what browser or the platform. Basically, the configuration of the device can make a difference in that process. Yeah. It's OK. It's OK. Sorry. It's really short. Thank you. Yeah. Sorry. Yeah. Yep. Yeah. Sorry. Yep. Yeah. Yeah. Sorry. Yep. Yep. Yep. Yep. Yup. Sorry. Yep. Yep. Yep. Yep. Yep. Yeah. Sorry. So how do you use the device? Yep. And this moment is for their user, a user on the world. Yeah, exactly. Some content media included in the instant article creates this kind of This is my problem. Even the session key is not generated in a certain way that you Can't report, for instance. It's more a problem with the army of Facebook creating These short links. Some of these content media created this with the, with our Session. So. Yeah, yeah, it's on the same. And this is the part of how Facebook remitted this vulnerability. Facebook didn't mitigate this vulnerability, a URL short and error. Instead, they have Mitigate the vulnerability present in one tab login. A redirection in the URL with the Vulnerability was implemented. Facebook dot com slash out dot PHP. So that is no longer Possible to steal a valid session from them. This is a video how Facebook mitigates This vulnerability. In this moment, if you search these vulnerability links, you can see Many of them, but if you open these links, a redirection mitigate, you pass the one Time to login. But if you search in this moment, Facebook dot com slash out dot PHP, You can find a lot of links because they will Generating the same way. Okay, remediation was to implement the redirection. So when you Click on it, you are already directed directly to the content media instead of the one Time value, you know? Yeah, some of them have special value. We will see in the next slide. So what's next? Those are the next steps. We have found that this content is still Shared within some values that can be hacked. This time we found this kind of URL With an SSO request field. However, this kind of URL was not that easy to test Because it has an expiration time really, really short. So within real time Searches, for instance, it was not the same to test it because some, like a lot of them Are already expired. Our solution could be an automatic tool in order to look for This kind of links in real time and test it immediately. We have a video showing A new vulnerability and how we can abuse it in order to get a valid session from a user. It's just the same way as previously. In this first video, you can see how to search These other tokens. And this kind of links are shared massively. The problem with this is when you open these links, the session was expired in all of this. But we have a video with a valid session from that link. This is how could we exploit SSO requests in my account. First we check if it has another session from Facebook. The session was in the browser. You can see the structure of the URL. It has a value hash very long. In this moment you have a valid session. The problem with these links is if you reply the link, the link was expired. You try to replicate this issue like immediately with the same URL. It didn't work. This is the problem for this vulnerability. However, there it is. The problem here is that the API is still generating this kind of URLs with private fields with content that it shouldn't have. So even though Facebook has implemented these redirections, it's not the solution to the real problem. So they are still in there. Thank you.