One Link

Access the account without restriction with just one link

Anand K. Pandey

anandkpandey1@gmail.com

Facebook

• Social networking website

• Founded in February 2004 by Mark Zuckerberg

• Used to interact with friends, colleague and to make new friends

Facebook

• Get 10 Billion hits per day

• Second most visited site

• More than 800 million active users

• More then 250 million photos are uploaded daily

• More than 900 million objects that people interact with

50

100

350

500

750

0

100

200

300

400

500

600

700

800

2007 2008 2009 2010 2011

Number of active users

Number of users (in million)

20 Minutes of Facebook

Link Shared

Event Invites

Friend Request

Accepted

Photos Uploaded

Message Sent

Tagged Photos

Status Update

Wall Posts

Comment Made

14,84,000

10,00,000

27,16,000

15,87,000 1,02,08,000

27,16,000

19,72,000

18,51,000

13,23,000

Facebook in News

• Massive hack/spam attack

• Facebook tracks users activity

• Anonymous threaten facebook

Facebook Security

• Unique Username

• Password

Facebook Security

• Check Point

Facebook Security

• Geo Location Restriction

Facebook Security

• Login review

Direct Link

• One single link

• Bypass all security points

• Username

• Password

• Check points

• Geo location restriction

Direct Link

When someone

• Comments on your photo

• Comments on your link

• Tags you

• Comments after you

Type 1

• Parameters

• pid – Photo id

• id – FB id of user who commented

• mlid – FB id of target user

• l (s52giOr8) – Secret key

http://m.facebook.com/photo.php?pid=xxxxxx&id=x

xxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx

Type 2

• Parameters

• Share_id – FB id for sharing the link

• mlid – FB id of target user

• l (s59gpZr8) – Secret key

http://m.facebook.com/story.php?share_id=xxxxxx

xxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx

Type 3

• URL Shortening

• Contain 14 character random alpha-numeric

• Use specially for shortening the magic link sent via sms when someone comments on your link

• Database of random FB accounts with magic link

http://fb.me/xxxxxxxxxxxxxx

Type 4

• URL Shortening

• Contain “id” and “l”

• Series of “x” are the FB id or user who commented on your photo

• Series of “y” is the special key

• Used specially for shortening the direct link sent via sms when someone comments on your photo

http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy

What you can do

• Brute-force or social engineer the direct URL

• Brute-force the shortened URL to hit random accounts with full access

• Remember the most important

• FB user ID (mlid)

• Secret key (l)

Email: anandkpandey1@gmail.com

Twitter: anand___pandey

Linkedin: http://in.linkedin.com/in/anandpandey1