Posts

Showing posts with the label hacking

Taking over Facebook Page Tabs

Image
In this post, I'm describing how I was able to take over 4 tabs on Facebook's own Pages. 1. Facebook India Ambassadors I was browsing Facebook as usual and not in a mood to test anything. I then visited Facebook India's page to check is there any update from Facebook India and that's when I noticed a page tab Facebook India Ambassadors . I clicked on it to see Facebook India's Brand Ambassadors and the tab showed a heroku error page. I was surprised to see that there. It looked interesting to me so I decided to dig further. I found out that it loads a third party website in an iframe in main section. The url was  http://immense-atoll-4159.herokuapp.com/  and I visited the url directly to verify that the subdomain doesn't exist. Heroku shows a does not exist error page if the subdomain doesn't exist. So I logged into my Heroku account and created a new project and give immense-atoll-4159  as project id. Then I created a simple NodeJS Script for

Awww!!! It's *Public* Service Commission.....

Image
In this post, I'd like to talk about multiple issues I found on a website owned by Kerala Public Service Commission . The issues here are otp bypass to achieve IDOR. For those who don't know what's IDOR, quoting from OWASP " Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly ". The site url is `https://mailer.psc.kerala.gov.in/KPSCAptitudeTest/home`, which is a temporary site they've opened for the Aptitude Exam for engineering students. How the site works Students can register for the aptitude exam by providing following details :  College ID card number,  Mobile Number, Email, Name, Address, College Name, Desired Center Name and the photographs of themself, signature and id card. Question : This is for engineering students. What I'm doing there?

Bug in Facebook OAuth. Convert facebook test account to real account in instagram/ oculus

Image
Facebook Provide you the ability to create test accounts for white hat testing. You can create it by visiting the url  facebook.com/whitehat/accounts . Facebook wants you to test for security issues using test accounts only and if you're unable to reproduce an issue with a test account, then it is okay to use a real account you own or you have to get permission from the account owner. Adding Facebook implemented certain limitations for the test accounts. I stuck with the last one. Can't convert to a real user account. Ok let's try it. I tried for about a day in different ways like using the fake email at account recovery system and so on but failed. I was like And then I thought that I might find a way abusing facebook oauth system with test accounts. Navigated to few sites which allows login with facebook. But when I tried login with facebook, It shows an error. Oops!! again screwed. Then I decided to stop there and went to bed because it was 3 AM at night.

Download Guarded Profile Picture From Facebook

Image
Facebook recently introduced a feature called Profile Picture Guard. It protect others from downloading your profile picture. If you want to know more about it, you can read it here  Profile Picture Guard | Facebook Help . When turning on Profile Picture Guard, Facebook assure you that no one else can download your profile picture. Really??? 😆😆😆 Never!!! I worked some time on it to see how can I bypass this restriction. Tried calculating the url to cdn but it requires a signature to access the file. Tried to view image and change dimensions and the result is negative. What's next? Think out of the Box. I think I should leave it and change my target first. Then I decided to test it from my another account to check is there a way to bypass it. Opened the profile picture and copied the url. Then I opened incognito to login to other account. Went to the url that I copied earlier and I was about to type my username and password in the login form at the top of page. Sudd