Exposing Private Facebook Photos With A Malicious App

March 20, 2015 by Rick Osgood 21 Comments

[Laxman] is back again with another hack related to Facebook photos. This hack revolves around the Facebook mobile application’s “sync photos” function. This feature automatically uploads every photo taken on your mobile device to your Facebook account. These photos are automatically marked as private so that only the user can see them. The user would have to manually update the privacy settings on each photo later in order to make them available to friends or the public.

[Laxman] wanted to put these privacy restrictions to the test, so he started poking around the Facebook mobile application. He found that the Facebook app would make an HTTP GET request to a specific URL in order to retrieve the synced photos. This request was performed using a top-level access token. The Facebook server checked this token before sending down the private images. It sounds secure, but [Laxman] found a fatal flaw.

The Facebook server only checked the owner of the token. It did not bother to check which Facebook application was making the request. As long as the app had the “user_photos” permission, it was able to pull down the private photos. This permission is required by many applications as it allows the apps to access the user’s public photos. This vulnerability could have allowed an attacker access to the victim’s private photos by building a malicious application and then tricking victims into installing the app.

At least, that could have been the case if Facebook wasn’t so good about fixing their vulnerabilities. [Laxman] disclosed his finding to Facebook. They had patched the vulnerability less than an hour after acknowledging the disclosure. They also found this vulnerability severe enough to warrant a $10,000 bounty payout to [Laxman]. This is in addition to the $12,500 [Laxman] received last month for a different Facebook photo-related vulnerability.

Deleting Facebook Albums Without Permission

February 15, 2015 by Rick Osgood 17 Comments

[Laxman] was poking around Facebook looking for security vulnerabilities. Facebook runs a bug bounty program which means if you can find a vulnerability that’s serious enough, it can earn you cold hard cash. It didn’t take much for [Laxman] to find one worthy of a bounty.

The graph API is the primary way for Facebook apps to read and write to the Facebook social graph. Many apps use this API, but there are limitations to what it can do. For example, the API is unable to delete users’ photo albums. At least, it’s not supposed to be able too. [Laxman] decided to test this claim himself.

He started by sending a command to delete one of his own albums using a graph explorer access token. His request was denied. The application didn’t have the correct permissions to be able to perform that action. It seemed that Facebook was correct and the API was unable to delete photos. [Laxman] had another trick up his sleeve, though. He noticed that the wording of the response suggested that other apps would have the ability to delete the albums, so he decided to check the Facebook mobile application.

He decided to send the same request with a different token. This time he used a token from the Facebook for Mobile application. This actually worked, and resulted in his photo album being deleted. To take things a step further, [Laxman] sent the same requests, but changed the user’s ID to a victim account he had set up. The request was accepted and processed without a problem. This meant that [Laxman] could effectively delete photo albums from any other user without that user’s consent. The vulnerability did require that [Laxman] had permission to view the album in the first place.

Since [Laxman] is one of the good guys, he sent this bug in to the Facebook team. It took them less than a day to fix the issue and they rewarded [Laxman] $12,500 for his trouble. It’s always nice to be appreciated. The video below shows [Laxman] walking through how he pulled off this hack using Burp Suite. Continue reading “Deleting Facebook Albums Without Permission” →

Ask Hackaday: What Is The Future Of Virtual Reality?

November 28, 2014 by Will Sweatman 32 Comments

Most of us have heard of Second Life – that antiquated online virtual reality platform of yesteryear where users could explore, create, and even sell content. You might be surprised to learn that not only are they still around, but they’re also employing the Oculus Rift and completely redesigning their virtual world. With support of the DK2 Rift, the possibilities for a Second Life platform where users can share and explore each other’s creations opens up some interesting doors.

Envision a world where you could log on to a “virtual net”, put on your favorite VR headset and let your imagination run wild. You and some friends could make a city, a planet…and entire universe that you and thousands of others could explore. With a little bit of dreaming ~~and an arduino~~, VR can bring dreams to life.

Continue reading “Ask Hackaday: What Is The Future Of Virtual Reality?” →

Using Facebook Ads To Prank Your Friends

September 19, 2014 by Rick Osgood 38 Comments

Most tech savvy individuals are well aware of the vast amounts of data that social networking companies collect on us. Some take steps to avoid this data collection, others consider it a trade-off for using free tools to stay in touch with friends and family. Sometimes these ads can get a bit… creepy. Have you ever noticed an ad in the sidebar and thought to yourself, “I just searched for that…” It can be rather unsettling.

[Brian] was looking for ways to get back at his new roommate in retaliation of prank that was pulled at [Brian’s] expense. [Brian] is no novice to Internet marketing. One day, he realized that he could create a Facebook ad group with only one member. Playing off of his roommate’s natural paranoia, he decided to serve up some of the most eerily targeted Facebook ads ever seen.

Creating extremely targeted ads without giving away the prank is trickier than you might think. The ad can’t be targeted solely for one person. It needs to be targeted to something that seems like a legitimate niche market, albeit a strange one. [Brian’s] roommate happens to be a professional sword swallower (seriously). He also happens to ironically have a difficult time swallowing pills. naturally, [Brian] created an ad directed specifically towards that market.

The roommate thought this was a bit creepy, but mostly humorous. Slowly over the course of three weeks, [Brian] served more and more ads. Each one was more targeted than the last. He almost gave himself away at one point, but he managed to salvage the prank. Meanwhile, the roommate grew more and more paranoid. He started to think that perhaps Facebook was actually listening in on his phone calls. How else could they have received some of this information? As a happy coincidence, all of this happened at the same time as the [Edward Snowden] leaks. Not only was the roommate now concerned about Facebook’s snooping, but he also had the NSA to worry about.

Eventually, [Brian] turned himself in using another custom Facebook ad as the reveal. The jig was up and no permanent damage was done. You might be wondering how much it cost [Brian] for this elaborate prank? The total cost came to $1.70. Facebook has since changed their ad system so you can only target a minimum of 20 users. [Brian] provides an example of how you can get around the limitation, though. If you want to target a male friend, you can simply add 19 females to the group and then target only males within your group of 20 users. A pretty simple workaround

This prank brings up some interesting social questions. [Brian’s] roommate seemed to actually start believing that Facebook might be listening in on his personal calls for the purposes of better ad targeting. How many other people would believe the same thing? Is it really that far-fetched to think that these companies might move in this direction? If we found out they were already doing this type of snooping, would it really come as a shock to us?

Barduino, Now With Facebook Integration

May 10, 2014 by Brian Benchoff 8 Comments

We’ve seen BarBots that will automagically pour you a drink, but how about one with RFID? How about one with Facebook integration, so your friends know how much of a lush you are? Wait. Facebook already tells them that. Huh.

[Andy] and [Daniel]’s latest build follows on the heels of a lot of similar cocktail bots; an Arduino controls a few solenoid valves connected to a CO2 supply and a few bottles of liquor and mixers that allow drinks to be dispensed at the push of the button. Where this project gets interesting is its use of RFID and Facebook.

The user interface was coded for Windows 7, with an RFID tag (ostensibly issued to each guest) allowing a unique login that checks an SQL server to see what privileges the user has. The app pulls the user’s Facebook profile photo down and displays it in the corner of the screen, and with the server keeping track of how many drinks (and of what kind) they had, with the right permissions it should be possible to post that info to their wall. Because we all know what you did last night, even if you don’t.

Free Yourself From Social Media With Classical Conditioning

August 22, 2013 by Brian Benchoff 19 Comments

While [Robert] and [Dan] should be working on their dissertation, they found they actually spend a whole lot of time whiling away their days on Facebook and other social media sites. Taking inspiration from a Skinner box, they rigged up their computer to shock them every time they surfed on over to Facebook.

Their build uses the UI inspector in OS X and a Python script to activate an Arduino connected to one of those trick ‘shocking chewing gum’ pranks. The contacts for this shocker are attached to a keyboard wrist rest, providing a wonderful tingling sensation whenever the guys surf on over to Facebook.

Because shocks just aren’t extreme enough, [Robert] and [Dan] took their build one step further by invoking the wrath of Mechanical Turk users. They wrote a Python script to look at their UI inspector and submit a job to Mechanical Turk whenever they logged on to Facebook. The result is a random person being paid $1.40 to yell at [Robert] or [Dan] over the phone for wasting time on Facebook.

Video below, and be sure to like this post on Facebook.

Continue reading “Free Yourself From Social Media With Classical Conditioning” →

Hacking Facebook To Remove The Social Value Facade

October 23, 2012 by Mike Szczys 20 Comments

We see [Ben Grosser’s] point that all the metrics found on the Facebook user interface make the experience somewhat of a game to see if you can better your high score. He thinks this detracts from the mission of having social interactions that themselves have a value. So he set out to remove the ‘scores’ from all Facebook pages with a project he calls the Facebook Demetricator.

You can see two UI blocks above. The upper offering is what a normal user will see. The lower is the page seen through the lens of the Demetricator. [Ben’s] feels it doesn’t matter how many people like something or share something, but only that you are genuinely interested in it. With the numbers removed you’re unlikely to follow the herd mentality of only clicking through to things that are liked by a huge number of people. He explains this himself in the clip after the break.

The Demetricator works much like the Reddit Enhancement Suite. It’s a browser add-on for Chrome, Firefox, and Safari that selectively strips out the metrics as the page renders.