Jan 7, 2010

Hacking Facebook

Okay here's the scenario. My brother's girl friend's sisters brother inlaw's son's room mates cousin wife's, neace was having certain problems with some users on facebook. They confronted me about this. I told them to report it to the abuse department. However after receiving no help threw them, or law enforcement, we decided to take matters into our own hands.

Exact nature of problem consist of threats sent to the user. Similar threats where sent to the same user via another profile. It seamed as though a user had set up multiple profiles on facebook. So right then and there if this was the the case the user had already violated terms of service, by setting up multiple profiles. And of course threatening emails also violates these services. So one definite violation of there service definitely happened. And a possible second violation if the to profiles where owned by the same person.

Before I go any further I would like to state that even if both profiles had the same IP address. It could very likely just be 2 users using the same computer to login to their own accounts. If this was the case the violations of terms of service for having multiple profiles wouldn't be violated. Mostly because they where really owned by 2 different people. However if this is the case this would mean that 2 different people violated another part of the terms of service.

Now how are we going to obtain those IP addresses. If you go to any profile on facebook and copy the URL into a Whois search engine you will only get the IP address of the facebook website. Which is pointless. However you can obtain IP addresses from people who have sent emails to to you. What most people never notice is that facebook is pretty much an advanced emailing system. All status updates, friend request, personal messages are emailed to users, to their their person email account. So think of it this way. If you log into mail.aol.com and send me a message to my email address. I will be able to track your personal IP address. Logging into post a status update, news feed, request someone to be a friend or even just sending a message to someone on facebook, is the same thing as logging into your mail.aol.com account to send a message. I would be able to track the IP address in the same manner. The only thing that would need to happen is for me to recieve message in my inbox from you on facebook.

Obvously if you know how to track an IP address from an a senders email then you don't need to read on. Because the following will teach just this and apply it to facebook.

The starting point. To do this you would need to have a basic knowledge of how an email works. And the best way to learn this is by sending messages using the command prompts telnet command. Back in the day it was as simple as connecting to any old SMTP server. Then tell the SMTP server what domain name you are using. If I wanted to send an email to someone and make it look like it was from the address bgates@microsoft.com all I would need to do is tell the SMTP server that I'm microsoft.com. Then I would apply a user name to that domain name. so if I wanted the email to say bgates@microsoft.com I would need to tell it this. Next you would tell the server who to send the email to, followed by typing a message. If you want the username info to appear in the persons message. The from info, the to info, and the subject had to be added in the first 3 lines of the message.

However email companies caught on to this impersonation and took action. First they made it so if you where to send a message on the same machine that your SMTP server was on the message would never arrive to the email account. Later they made it so IP info would also be sent along with the username and password of the sender. Of course doing this opened up the senders for an attack on their account. So email companies would then make the username and password use 64bit hash encryption. What this meant was even if you logged into your account using telnet, you would also need to provide your user name in a hash encryption. If you just entered you username and password telnet wouldn't encrypt it for the for the server. You would need to encrypt it first then send it threw telnet. Obvously this would prove to the server that the telnet user has the rights to use this email address. And of course IP info falls into all of this. And then keep in mind all the user would see up front is the From: To: Subject: and Message. But the user would still be to access that info.

Different Email accounts let you access this information in different way. And accessing this info is legal and vary easy to do. In the file you will see bunch of text. You'll also see what appears to be several IP addresses. Run a whois on each one. You will find out one IP address is yours. Antoher IP address is the servers IP that the user logged into. Another would be the IP address to the server that your email is hosted on. And of course you'll also see the IP address of the computer that the user sent it from.

You'll also see the users username and their password. Both of which should be encrypted, using a 64 bit hash. So in sense you could log into the users account and obtain all of his info, if you decrypt the hash. But the IP address was all that I wanted.

So what ever message you receive from facebook about a user. No matter if it is a status update, friend request, news feed or any other activity that a user post. If it ends up in your email account you'll be able to access that persons IP address. So now you'll need to compare the two IP addresses and see if they match. If they match you know that the message where sent using the same computer.

Certain things to keep in mind are the following. If the user has a dynamic IP address, and the IP address has changed since the time that you recieved the message you will get this info of some other users IP address. However times are list on the email and you could trace it strait back to that user. Another thing to be aware of is the use of proxies. Even thou alot of proxies wont work on facebook there are some that do work. If the person is using a proxy then the IP address could seem to originate from somewhere else. But getting the IP address is still very useful in either case.

I would also like to post the magic facebook email addresses. These are the emails facebook staff use but are extremely hard to find them to send them a message. I would highly recomend reporting any privacy issues to these email addresses.
privacy@facebook.com
appeals@facebook.com
abuse+dwybo1b@facebook.com
abuse+dt17u8y@facebook.com
login@facebook.com
info@facebook.com
disabled@facebook.com

No comments: