Shulou(Shulou.com)05/31 Report--

This article mainly shows you "what is the cause of Facebook account hijacking caused by cross-site Websocket Hijacking loopholes". The content is easy to understand and clear. I hope it can help you solve your doubts. Let me lead you to study and learn the article "what is the reason for cross-site Websocket Hijacking loopholes leading to Facebook account hijacking".

In a new application recently launched by testing Facebook (which cannot be disclosed here for reasons of confidentiality), there is a cross-site Websocket Hijacking vulnerability that allows attackers to hijack Websocket connections of users using the new application, and then construct malicious Websocket information to hijack the Facebook account of the target victim.

Because the newly launched Facebook application is still in the testing stage and only a small number of security personnel can be invited to access and test, the name of the application has been hidden in the following vulnerability explanation, and the relevant exploit code is not provided for the time being.

Cause of loophole

Since the newly launched Facebook application is hosted under the subdomain name of facebook.com and allows its local IP address (such as 0.0.0.1Comp8 or 192.168.1.1p8) to be included as the Origin host header, the application is based on a secure login of random numbers (random numbers are generated on the login page and then sent for verification in a subsequent websocket message), random numbers are used to establish and obtain valid websocket connection sessions There is no reliance on Cookie information for user authentication.

But when I was testing another bug of the authorization mechanism, I noticed a change. According to the previous analysis, the authorization mechanism should also use random numbers to verify logins, but here the user's Facebook global Cookie is used to authenticate the user.

The following is a successful Websocket connection for the Origin host header constructed with the local IP address inside the Facebook:

To sum up, because the Origin host header only allows local IP addresses, attackers in the same local network segment as the victim can construct a malicious Websocket connection and send it to the victim through DNS spoofing (Spoofing) or peer-to-peer to achieve account hijacking of the victim's Facebook.

In addition, malicious APP can also be installed in the victim's mobile phone to start the unrestricted HTTP service, and then send constructed malicious URL links in the form of deep-link to Facebook users of other IP addresses of the victim's network segment to achieve a scaling attack.

Loophole recurrence

1. For better illustration, I visit REDACTED.facebook.com and save the home page, along with the Javascript script file that handles websocket communications. Because the Websocket communication messages are encrypted, and the Javascript script files here are encoded and somewhat difficult to understand, and some slightly modified Javascript script files will be used in subsequent attacks. After that, I started a HTTP service with the Javascript script file containing these modifications

2. Using the http service started above, after I send a malicious link to the victim of the same network segment, the script involved will establish a Websocket connection with the REDACTED.facebook.com server, and then need to use the user's Cookie information during login authentication (because Websocket is not limited by SOP or CORS policies, this is feasible for local IP)

3. As a POC test, after visiting the above malicious link containing local IP, the victim will see that he has successfully logged in to the Facebook account, but the Javascript script file contains an attacking Payload, which can send a specific websocket to the attacker after the victim has successfully logged in to add the binding mailbox or mobile phone number of the Facebook account, so as to hijack the victim's Facebook account. This attack is effective for APP users on Android phones and has not been tested in iOS.

The above is all the contents of this article entitled "what is the cause of Facebook account hijacking caused by cross-site Websocket Hijacking vulnerabilities?" Thank you for reading! I believe we all have a certain understanding, hope to share the content to help you, if you want to learn more knowledge, welcome to follow the industry information channel!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.