Race Conditions Exploit Granted Free Money On Web Services

[Josip] has been playing around with race conditions on web interfaces lately, finding vulnerabilities on both Facebook and Digital Ocean. A race condition can occur when a piece of software processes multiple threads using a shared resource.

For example, [Josip] discovered that he was able to manipulate page reviews using just a single Facebook account. Normally, a user is permitted to leave just one review for any given Facebook page. This prevents a single user from being able to skew the page’s overall ranking by making a bunch of positive or negative reviews. The trick to manipulating the system was to intercept the HTTP request that submitted the page review. The request was then replayed over and over in a very short amount of time.

Facebook’s servers ended up processing some of these requests simultaneously, essentially unaware that multiple requests had come in so close together. The result was that multiple reviews were submitted, artificially changing the pages overall ranking even though only one review actually showed up on the page for this user. The user can then delete their single review, and repeat this cycle over and over. It took Facebook approximately two months to fix this vulnerability, but in the end it was fixed and [Josip] received a nice bounty.

The Digital Ocean hack was essentially the exact same process. This time instead of hacking page reviews, [Josip] went after some free money. He found that he was able to submit the same promotional code multiple times, resulting in a hefty discount at checkout time. Digital Ocean wasted no time fixing this bug, repairing it within just ten days of the disclosure.

Facebook Photo Hack

Exposing Private Facebook Photos With A Malicious App

[Laxman] is back again with another hack related to Facebook photos. This hack revolves around the Facebook mobile application’s “sync photos” function. This feature automatically uploads every photo taken on your mobile device to your Facebook account. These photos are automatically marked as private so that only the user can see them. The user would have to manually update the privacy settings on each photo later in order to make them available to friends or the public.

[Laxman] wanted to put these privacy restrictions to the test, so he started poking around the Facebook mobile application. He found that the Facebook app would make an HTTP GET request to a specific URL in order to retrieve the synced photos. This request was performed using a top-level access token. The Facebook server checked this token before sending down the private images. It sounds secure, but [Laxman] found a fatal flaw.

The Facebook server only checked the owner of the token. It did not bother to check which Facebook application was making the request. As long as the app had the “user_photos” permission, it was able to pull down the private photos. This permission is required by many applications as it allows the apps to access the user’s public photos. This vulnerability could have allowed an attacker access to the victim’s private photos by building a malicious application and then tricking victims into installing the app.

At least, that could have been the case if Facebook wasn’t so good about fixing their vulnerabilities. [Laxman] disclosed his finding to Facebook. They had patched the vulnerability less than an hour after acknowledging the disclosure. They also found this vulnerability severe enough to warrant a $10,000 bounty payout to [Laxman]. This is in addition to the $12,500 [Laxman] received last month for a different Facebook photo-related vulnerability.

Facebook Bounty

Deleting Facebook Albums Without Permission

[Laxman] was poking around Facebook looking for security vulnerabilities. Facebook runs a bug bounty program which means if you can find a vulnerability that’s serious enough, it can earn you cold hard cash. It didn’t take much for [Laxman] to find one worthy of a bounty.

The graph API is the primary way for Facebook apps to read and write to the Facebook social graph. Many apps use this API, but there are limitations to what it can do. For example, the API is unable to delete users’ photo albums. At least, it’s not supposed to be able too. [Laxman] decided to test this claim himself.

He started by sending a command to delete one of his own albums using a graph explorer access token. His request was denied. The application didn’t have the correct permissions to be able to perform that action. It seemed that Facebook was correct and the API was unable to delete photos. [Laxman] had another trick up his sleeve, though. He noticed that the wording of the response suggested that other apps would have the ability to delete the albums, so he decided to check the Facebook mobile application.

He decided to send the same request with a different token. This time he used a token from the Facebook for Mobile application. This actually worked, and resulted in his photo album being deleted. To take things a step further, [Laxman] sent the same requests, but changed the user’s ID to a victim account he had set up. The request was accepted and processed without a problem. This meant that [Laxman] could effectively delete photo albums from any other user without that user’s consent. The vulnerability did require that [Laxman] had permission to view the album in the first place.

Since [Laxman] is one of the good guys, he sent this bug in to the Facebook team. It took them less than a day to fix the issue and they rewarded [Laxman] $12,500 for his trouble. It’s always nice to be appreciated. The video below shows [Laxman] walking through how he pulled off this hack using Burp Suite. Continue reading “Deleting Facebook Albums Without Permission”

Second Life world thru Oculus Rift

Ask Hackaday: What Is The Future Of Virtual Reality?

Most of us have heard of Second Life – that antiquated online virtual reality platform of yesteryear where users could explore, create, and even sell content.  You might be surprised to learn that not only are they still around, but they’re also employing the Oculus Rift and completely redesigning their virtual world. With support of the DK2 Rift, the possibilities for a Second Life platform where users can share and explore each other’s creations opens up some interesting doors.

Envision a world where you could log on to a “virtual net”, put on your favorite VR headset and let your imagination run wild. You and some friends could make a city, a planet…and entire universe that you and thousands of others could explore. With a little bit of dreaming and an arduino, VR can bring dreams to life.

Continue reading “Ask Hackaday: What Is The Future Of Virtual Reality?”

Facebook Roommate Group

Using Facebook Ads To Prank Your Friends

Most tech savvy individuals are well aware of the vast amounts of data that social networking companies collect on us. Some take steps to avoid this data collection, others consider it a trade-off for using free tools to stay in touch with friends and family. Sometimes these ads can get a bit… creepy. Have you ever noticed an ad in the sidebar and thought to yourself, “I just searched for that…” It can be rather unsettling.

[Brian] was looking for ways to get back at his new roommate in retaliation of prank that was pulled at [Brian’s] expense. [Brian] is no novice to Internet marketing. One day, he realized that he could create a Facebook ad group with only one member. Playing off of his roommate’s natural paranoia, he decided to serve up some of the most eerily targeted Facebook ads ever seen.

Creating extremely targeted ads without giving away the prank is trickier than you might think. The ad can’t be targeted solely for one person. It needs to be targeted to something that seems like a legitimate niche market, albeit a strange one. [Brian’s] roommate happens to be a professional sword swallower (seriously). He also happens to ironically have a difficult time swallowing pills. naturally, [Brian] created an ad directed specifically towards that market.

Sword Swallowing Ad

The roommate thought this was a bit creepy, but mostly humorous. Slowly over the course of three weeks, [Brian] served more and more ads. Each one was more targeted than the last. He almost gave himself away at one point, but he managed to salvage the prank. Meanwhile, the roommate grew more and more paranoid. He started to think that perhaps Facebook was actually listening in on his phone calls. How else could they have received some of this information? As a happy coincidence, all of this happened at the same time as the [Edward Snowden] leaks. Not only was the roommate now concerned about Facebook’s snooping, but he also had the NSA to worry about.

Eventually, [Brian] turned himself in using another custom Facebook ad as the reveal. The jig was up and no permanent damage was done. You might be wondering how much it cost [Brian] for this elaborate prank? The total cost came to $1.70. Facebook has since changed their ad system so you can only target a minimum of 20 users. [Brian] provides an example of how you can get around the limitation, though. If you want to target a male friend, you can simply add 19 females to the group and then target only males within your group of 20 users. A pretty simple workaround

This prank brings up some interesting social questions. [Brian’s] roommate seemed to actually start believing that Facebook might be listening in on his personal calls for the purposes of better ad targeting. How many other people would believe the same thing? Is it really that far-fetched to think that these companies might move in this direction? If we found out they were already doing this type of snooping, would it really come as a shock to us?

Barduino, Now With Facebook Integration

Bar

We’ve seen BarBots that will automagically pour you a drink, but how about one with RFID? How about one with Facebook integration, so your friends know how much of a lush you are? Wait. Facebook already tells them that. Huh.

[Andy] and [Daniel]’s latest build follows on the heels of a lot of similar cocktail bots; an Arduino controls a few solenoid valves connected to a CO2 supply and a few bottles of liquor and mixers that allow drinks to be dispensed at the push of the button. Where this project gets interesting is its use of RFID and Facebook.

The user interface was coded for Windows 7, with an RFID tag (ostensibly issued to each guest) allowing a unique login that checks an SQL server to see what privileges the user has. The app pulls the user’s Facebook profile photo down and displays it in the corner of the screen, and with the server keeping track of how many drinks (and of what kind) they had, with the right permissions it should be possible to post that info to their wall. Because we all know what you did last night, even if you don’t.

Free Yourself From Social Media With Classical Conditioning

pavlov

While [Robert] and [Dan] should be working on their dissertation, they found they actually spend a whole lot of time whiling away their days on Facebook and other social media sites. Taking inspiration from a Skinner box, they rigged up their computer to shock them every time they surfed on over to Facebook.

Their build uses the UI inspector in OS X and a Python script to activate an Arduino connected to one of those trick ‘shocking chewing gum’ pranks. The contacts for this shocker are attached to a keyboard wrist rest, providing a wonderful tingling sensation whenever the guys surf on over to Facebook.

Because shocks just aren’t extreme enough, [Robert] and [Dan] took their build one step further by invoking the wrath of Mechanical Turk users. They wrote a Python script to look at their UI inspector and submit a job to Mechanical Turk whenever they logged on to Facebook. The result is a random person being paid $1.40 to yell at [Robert] or [Dan] over the phone for wasting time on Facebook.

Video below, and be sure to like this post on Facebook.

Continue reading “Free Yourself From Social Media With Classical Conditioning”