Facebook Special Token
On the 16 Jan 2014. I found the Token from Facebook Official Application and Facebook Messenger Application. That Token can access emails & phones of your friends without ask them depends on their privacy setting and this token also can get email & phones from not friends user if their has set public on privacy setting (You can't see email on the user who is not friend). ahh this token can query your friends of friends. it wonderful. i love this token.
That sure i reported this issue to Facebook security team, this is once of the answer
As https://www.facebook.com/help/359369650815737 notes, the privacy
setting of an email address controls who is able to see the information
outside of the context of Timeline. Shown on Timeline or Hidden from
Timeline are known as visibility settings and only control what information
is highlighted on your timeline. Can you demonstrate the ability to use
this token to access email addresses which you shouldn't be able to based
on privacy settings?
The tokens issued to the official applications have special permissions in order to allow them to function as efficiently as possible. Again, the application should not be able to return any information that it is not possible to access normally. Can you demonstrate a case where you are seeing the friend list for a friend where you could not otherwise see it?
Ok, Let's see how this work.
1. You must have Mobile device and installed Facebook Application, in this case i use my Android.
2. We will capture the special token from this software mitmproxy (
http://mitmproxy.org/). This software that fake the certificate and make you can read https. Please see this blog for how mitmproxy work and use (
http://blog.philippheckel.com/2013/07/01/how-to-use-mitmproxy-to-read-and-modify-https-traffic-of-your-phone/ )
3. After you learned the blog above you will got the special token when you open the facebook application and logged in
|
From Facebook Android Application |
|
From Facebook Messenger Application |
4. You can check the token
here (wow the expire is never)
SELECT uid, name, email, phones FROM user WHERE uid IN (SELECT uid2 FROM friend WHERE uid1=FACEBOOK_ID)
0 comments: