UnAuthorized Access to Facebook Global Business Solutions Email Preferences

 

Hello guys,

Today i will share my experience with facebook company with you, it’s about opening the “Facebook Global Business Solutions Email Preferences” for any user using facebook online services.

But at first i have to active this settings by signing up for any facebook newsletter with my email address “diaa.diab.2012@gmail.com” for example: i will use the form on “atlassolutions.com”.

 

Now i am on the ‘Facebook Global Business Solutions Email Preferences’ for recieving any newsletter about the following:

• Weekly News for Businesses.
• Facebook News.
• Facebook Regional Small Enterprise News.
• News for Preferred Marketing Developers.
• Facebook IQ.
• Facebook News for Verticals.
• Atlas Newsletter.
• Audience Network.

I already started to use the emails services for the Business Solution on facebook and i recieved emails like this.

 

At the bottom of these emails i found the link to unsubscribe me from recieving such these emails.

 

And by excuting the link “www.facebook.com/business/unsubscribe/?eid=8a0f32986a7ba7b635ffaea220d04ebb&cid=775114969220192” i found myself on the next page.

 

You see the ” Preference Center” anchor tag on the page, by clicking on it i found myself on the all settings related to ‘Facebook Global Business Solutions Email Preferences’ for the “diaa.diab.2012@gmail.com” email.

“www.facebook.com/business/subscriptions/?eid=8a0f32986a7ba7b635ffaea220d04ebb”

 

Now i retrieved the settings related to the “diaa.diab.2012@gmail.com” user with just one parameter “eid“, This mean that if i can get how facebook built this value “8a0f32986a7ba7b635ffaea220d04ebb“, i can make the same for another emails.

This value seems md5 (not sure yet) but let’s try to break the hash to see if we can do it or not, The idea is how the backend developer built this hash?!!

• Random Value => md5(value)
• Value from user => md5(value)
• Value from user + salt => md5(value)

But there are cases that we will can not be able to break the hash (Random and Sult) but i tried to break the hash by bruteforcing it with the common strings i used on all web sites with the next simple python script.

#! /usr/bin/env python

import hashlib
import sys

def main():
    if len(sys.argv) < 2:
        print "[ + ] Usage: %s <hash>" % sys.argv[0]
        exit(0)

    commonStrings = [
        "Diaa",
        "Diab",
        "Mohammad",
        "test",
        "7amama",
        "sos",
        "lolo",
        "hacked",
        "try",
        "a_diaa_2007@yahoo.com",
        "secgeek",
        "lnxg33k",
        "diaa.diab.2012@gmail.com",
        "dia2diab@yandex.com",
        "dia2diab@yahoo.com"
        ]

    for i in commonStrings:
        if hashlib.md5(i).hexdigest() == sys.argv[1]:
            print "[ + ] OK i got it."
            print "[ + ] The hash value [ %s ] is the md5 of [ %s ]." % (sys.argv[1], i)
            exit(0)
    print "[ ! ] The hash not found on your own list."

if __name__ == "__main__":
    main()

And here is the surprise for me.

 

Python told me that the facebook retrieved your settings using the md5 hash of your email.

md5(“diaa.diab.2012@gmail.com”) == 8a0f32986a7ba7b635ffaea220d04ebb

So let’s retrieve the settings for another users using the following form:

https://www.facebook.com/business/subscriptions/?eid=%md5_of_victim_email_address%

• dia2diab@yandex.com
  https://www.facebook.com/business/subscriptions/?eid=2bdf72da3a1c65d58cfbdb4c10d6958f
• a_diaa_2007@yahoo.com
  https://www.facebook.com/business/subscriptions/?eid=9dd78e3a834b2721e8569ba829dce75d

 

 

Thank You

Diaa