Facebook - Enumerating Phone Numbers
As we discussed in the Last post that one can use his phone number to identify the account in case of forgetting password. Well this utility can be easily misused to harvest phone numbers. How ?? let me demonstrate: Attack Scenario: Step 1. This Page URL: https://www.facebook.com/login/identify?ctx=recover asks for phone number in order to identify the user. Step 2. I captured the request in Burpsuite and then in to the intruder. To perform the attack I Buteforced the numbers +91973914XXXX. The last 4 digits were bruteforced. +91 is country code for India. 9739 is the starting 4 digits for Vodafone numbers in Karnataka, India. Ofcourse intruder makes it easy. As the result of the attack as screenshot shows there are 10000 attempts to be made. Step 3. Now have a close look to the content- length of the response. Content length like 7182 and 8044 are valid phone numbers. Content-length 6930 is for the attem...