Facebook - Enumerating Phone Numbers

As we discussed in the Last post that one can use his phone number to identify the account in case of forgetting password.
Well this utility can be easily misused to harvest phone numbers. How ??
let me demonstrate:

Attack Scenario:

Step 1. This Page URL:  https://www.facebook.com/login/identify?ctx=recover asks for phone number in order to identify the user.

Step 2. I captured the request in Burpsuite and then in to the intruder.  To perform the attack I Buteforced the numbers +91973914XXXX. The last 4 digits were bruteforced. +91 is country code for India. 9739 is the starting 4 digits for Vodafone numbers in Karnataka, India.  Ofcourse intruder makes it easy.

As the result of the attack as screenshot shows there are 10000 attempts to be made.

Step 3. Now have a close look to the content- length of the response. Content length like 7182 and 8044 are valid phone numbers. Content-length 6930 is for the attempts for which the phone numbers doesn’t belong to any facebook user.

Step 4. I selected one of Response having content-length 7182 and checked for the validity of number.

One step further it shows the full number in the page.

Step 6. So all the response of content-length 7182  and 8044 I verified and enumerated many numbers belonging to facebook users from Karnataka,  India using Vodafone as service provider. (I am assuming without number portability :D )

So on a successful attempt the content-length of the response changes makes it other than 6930 and hence confirming the valid attempt :).

You can argue that facebook has captcha implement so how can you bruteforce. The beauty is captcha only appears when the number entered is existing user's number and hence it causes the content-length of the response to act in a particular fashion hence confirming the attempt is a valid attempt.

I reported this to facebook but they didn't find it a SECURITY BUG.

Well according to me we can do the following:

1. Harvest the phone numbers belonging to a particular country/location.
2. Lack of privacy setting(refer to the previous post) allows to get the user's name also.
3. This can be nicely utilized to target individual users and perform social engineering attack.

Well I leave this discussion open that how it can be a SECURITY BUG.


Popular posts from this blog

Facebook: A Privacy Error ??

DevSecOps Expeditions

HackIM 2018 Walkthrough OSINT 1 to 4