DOB disclosed using “Facebook Graph API Reverse Engineering”

This is a continuation of my previous two blog post, if you want to read the first part via

1. 1st part: FB users birth year disclosed via FB Timeline profile source code “data attribute”

2. 2nd part: FB user birth year Disclosure via “IDOR in m.facebook.com”

My 3rd report(Full FB DOB Birth data disclosure bug POC) is quite interesting than my previous two reports
  1. Background information:
    Facebook uses graph API to fetch the user data from their system. To monitor the Facebook timeline API behaviour, I logged the request and response of the fb Android application in my system. And I found that Facebook graph timeline API is following some patter to fetch user post from their system. Using the pattern attacker can disclose the DOB of any user in Facebook.
  2. Facebook graph timeline API request and response:
Graph Timeline API request to get user timeline data
Graph Timeline API request body attributes
Graph Timeline post response body attributes

3. Facebook graph timeline API request pattern analysis

Based on the “Query_params” attribute value in FB graph Timeline API’s request, Respective Fb user’s timeline year post will be returned.

Graph Timeline API requestquery_params body attributes

4. Decode “Query_params” attribute a) In the above Graph Timeline API request ‘query_params’ parameter, highlighted string is encoded using base64 algorithm. So I just tried to decode the above highlighted string as shown below,

Decoding above Base64 String
Decode values “100000550580350” represent victims Fb user id and appending the “000” to following two numbers “1167638400” and “1199174399” (“1167638400000”and “119917439900”), represent the number of milliseconds since January 1, 1970, 00:00:00.
javascript snippets: To get date from numbers

b) Then I run the below node.js script to log the response of this API by changing the year values in ‘query_params’ parameter

C) From the below log(result of above node.js script), I found that after some specific year (1990) the response content Length is reduced to 246 bytes. And specific year is 1990 which victim (www.fb.me/rajsek) birth year 1991(1991–1). This API behaviour gives as a clue to find the birth year of the victim.

Customised Node script result

D) Then I instead of searching birth year by iterating the each year. I have used Binary Search algorithmto increase the graphFBBirth.js node script efficiency (so now the modified script can guess the birth Year of any user in just less than 7 to 8 iterations).

E) Then I fine tuned my node script to fetch the Victim’s DOB information and I hosted the modified script as a web app in heroku (URL https://rajsek-fb-birthyear.herokuapp.com/DOB ).

Note: FB Team already patched/fixed this BUG. So above mentioned application wont work as expected

F) Some Sample screenshot ,

See DOB information is not visible in this profile

Using my graphFBBirth.js node script, I can able to get DOB of Siva (www.facebook.com/xxxx.7792)

Screenshot of FB DOB disclosure Web Application

G) Following are my mail conversation with Fb Security Team,

This Hat-trick bug report made my name list with in top 10 rank on facebook white hat hacker page (https://www.facebook.com/whitehat/thanks)

Sry above one is a year old Screenshot :(
I wish to thank my uncle Thirumurugan and all my Friends(US [Vinoth],Endrum 16 [Ashwin],Singapore [Karthi],Maga Nadigan[Harsha]) & my families for their support and concern.
Special thanks to My mentor Keerthivasan , LoordhuSwamy, Joel Thomas, my lead Rajkumar and all other TCS colleague members for their continuous guidance and support,which made me do analysis on next two Facebook security bugs.

If you feel interested to read my previous continuation of this blog post, kindly click below links,

  1. 1st part: FB users birth year disclosed via FB Timeline profile source code “data attribute”
  2. 2nd part: My 2nd Facebook Bounty POC- “FB-Date of birth Disclosure
Please share your comments on this POC..
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.