Agnus Dei (jackal) wrote,
Agnus Dei
jackal

How to bypass Facebook's Multifactor Authentication (MFA).

PREFACE:

Before going into how to bypass Facebook's Multifactor Authentication, I just need to point out I did contact and report this issue to Facebook via their "Bug Bounty" program. The security administrators at Facebook reviewed it and said this was not an exploit, and things were functioning "as expected."

That said, I'm free to move forward with writing up what I found.

CONTEXT:

Facebook has implemented MFA IMHO incorrectly. The set it up so you can enable MFA via a third party application on your phone like Google's "Google Authenticator."

They've implemented it on a per "Trusted Browser" basis, which leads Facebook users into a false since of security. The idea is that if someone were to steal your password, they would not be able to access your account from another location (Non-Trusted Browser) because it would prompt them for your MFA Token, and only you can generate that via the Google Authenticator app on your phone.

THE PROBLEM:

The problem is they are misleading their users. They are not really allowing it on a "Trusted Browser" basis and location is not even a factor in determining whether or not to prompt the user for a MFA Token.

What they are calling a "Trusted Browser" is really a cookie file. So if you steal the cookie file, you can log into your account as you and steal personal information (private posts) from any location (like a hacker would do) and even though you've enabled MFA on your account, the hacker would never be prompted for a MFA Token.

That's why I reported it.

THE EXAMPLE/HOW-TO:

1- First you'll need to log into facebook and have a valid session ID saved in your cookie file. For this example, we'll use Firefox as our Browser.

2- Then, once you've logged into Firefox, we steal the cookies. For this example just export the cookie file. I wrote a script a while back that does this: get_cookie_file.sh .

3- Once you have the cookie file you can do anything you want to access, pull information from the account from anywhere and at no point will you be prompted for a MFA Token.

Here's an example (username replaced with "username" because it's not relevant to the example):


Notice in this example, I'm using curl as my client which is NOT in my "Trusted Browser" list to call the cookie.txt file to log into m.facebook.com and pull my PRIVATE "ONLY ME" Facebook posts for the timestart=1259654400 until timeend=1262332799 which is in EPOCH TIME for start time of "Tue, 01 Dec 2009 08:00:00 GMT" until end time of "Fri, 01 Jan 2010 07:59:59 GMT."

Notice how at no time did it prompt me for my MFA Token.
Subscribe
  • Post a new comment

    Error

    Anonymous comments are disabled in this journal

    default userpic

    Your reply will be screened

  • 0 comments