Exploiting Facebook data for stealing your friends’ digital identities

F3D.
F3D.
Mar 27, 2018 · 6 min read
Image for post
Image for post
Mark Zuckerberg (Justin Sullivan/Getty Images)

DISCLAIMER

All information shared are for educational purposes only. Use these at your own discretion and remember: you are responsible for any damages caused.

The views expressed in this article are my own and do not necessarily reflect the view of other people.

To all the script kiddies out there: I won’t release any plug-and-play script, sorry.


INTRODUCTION

Bad days for Facebook, uh?

This month, both Guardian and New York Times put Facebook in probably the biggest scandal in terms of trust and privacy. Anyway, long story short, Facebook exposed data on 50 million Facebook unaware users to a researcher who worked at Cambridge Analytica, which worked for the Trump campaign. But what it sounds scarier is how Cambridge Analytica got these massive data: it seems that, and I quote the New York Times, “Cambridge paid to acquire the personal information through an outside researcher who, Facebook says, claimed to be collecting it for academic purposes”.

After this scandal, a lot of people start to get a little bit more paranoid and start questioning how effectively Facebook handle their data and for what purposes. Online newspapers and magazines didn’t wait too much and start publishing articles as follow:

Image for post
Image for post
Web press starting to inform the readers about how to download your Facebook data.

So, I decided to do my homework: I wanna see what kind of information Facebook know about me.


1) Request and download my Facebook data

This process is very straightforward: once I was logged in, I went to “Settings” and clicked the “Download a copy of your Facebook data” button. Doing that, you will send to Facebook a request for your data and after some minutes (< 15 min. in my case) you’ll receive a notification and your files are ready to download.

Let’s examine them.

Image for post
Image for post
Requesting a download of my personal Facebook data.

The file I received was a “.zip” file (350 MB, more or less), I extracted it and opened the “index.htm” file.

This is how it looked like:

Image for post
Image for post
My personal Facebook data.

As you can see, it’s full of well-categorized information that you can easily search through the side menu: media contents, messages, applications used, and more.

That’s a lot of data, ain’t it?

Some bad things: I found on Twitter some users that claim to also have received back scary data has shown below (this story also appears on The Hacker News when I was writing this post):

Image for post
Image for post
https://twitter.com/dylanmckaynz/status/976368845635035138

Yes, that’s crazy but fortunately it wasn’t my case, I didn’t found any data regarding my phone calls or my SMS sent or received.

“It seems that in older versions of Android when permissions were a lot less strict, the Facebook app took away contact permission at the time of installation that allowed the company access to call and message data automatically.” (The Hacker News)

Besides that, a specific category caught my attention: the Contact Info.

The title of this category is self-explained and in fact, I was able to retrieve the complete list of my Facebook friends with a huge list of my phone’s contacts, containing also old numbers that I don’t have anymore. It could be useful as a personal back-up, but I didn’t get why a lot of my contact has also their personal email address associated with it.

Image for post
Image for post
Facebook Contact Info page.

I’m also sure that all of these emails come directly from Facebook and not from my phone’s contact list: I checked every single email and I found on my phone less than 5% of these contacts. So, they came from Facebook.

In fact, Facebook gives you the opportunity to share your email addresses with:

  • everyone
  • just your friends
  • nobody

For most people sharing their personal emails is not an issue, I mean, that’s only an email address, right?

Here’s when my “blackhat personality” came out.

Image for post
Image for post

2) Collecting info and start having fun

I wrote down a script to crawl the HTML page and extract all the emails inside it: I was able to find 585 unique emails.

Image for post
Image for post
Some of the emails extracted

A note for the readers: more than one email found could point to a single individual (also the “secondary email” can be exposed from Facebook).

After that, I decided to check if some of these emails were been compromised in a previous data breach with the help of haveibeenpwned API. I wrote a simple Python script that can automatically do this check for me.

Image for post
Image for post
Querying haveibeenpwned API.

Some results that I found:

  • Unique emails: 585
  • Found on public breaches: 310
  • Not found in public breaches: 275

So, more than 50% of my emails contacts were been already compromised in a previous data breach (or in more than one). Ok, it will be fun.

This is the list of major breaches involved in descending order:

  • Adobe: 83
  • Myspace: 82
  • Dropbox: 34
  • LinkedIn: 19
  • Dailymotion: 17
  • etc…

At this point, let’s go more deeply and start searching for the passwords. I mean, these breaches are public, right? So the passwords need to be somewhere out there.


3) Passwords, passwords, passwords…

Three months ago on r/pwned subreddit appears what was seemed to be the largest aggregate database found in the dark web to date: these files are well organized and contain 1.4 billion clear text credentials and it was 41GB. The data is structured in an alphabetic directory tree fragmented in 1,981 pieces to allow fast searches.

Image for post
Image for post
Dump folders structure.

If you need more details about this database check this Medium post. And if you questioning yourself about how to download it, I won’t provide any sources or “howto” guide, sorry.

I transferred it to an external drive and write another Python script to search through it, in order to find some passwords previously compromised. Once again, this script was very simple:

Image for post
Image for post
Automating the passwords extraction in Python.

It takes me 15 minutes, more or less, to process all the email addresses found on my Facebook data but it worth the effort: 451 unique pairs of email/password have been found. ¯\_(ツ)_/¯

Image for post
Image for post
More than 400 unique pairs of username/password found.

Since some email addresses were found on multiple data breaches, the number of passwords found was greater than the number of emails searched (310 email addresses returned me 451 unique passwords).

I notify a couple of friends about what I found and they admit to me: those passwords found are still used on other platforms. The following picture shows a conversation with a friend of mine about his passwords that I found (we’re both Italians):

Image for post
Image for post
A friend of mine confirms that he’s still using a password that I found.

4) Conclusions and open points

Image for post
Image for post
  • Avoid sharing personal emails, if not necessary and remember: Facebook is not a safe place for sharing them.
  • Password reusing is a real-life risk. Just stop to use the same simple password everywhere.
  • Learn about 2FA and how to enable (where available).
  • Password managers are not largely-adopted yet, we need to deal with this but you can make the difference and give it a try. There’s a lot of alternative out there (there are both free and paid alternatives).

Thank you for reading it.

If you liked this post, give me back some claps.

Image for post
Image for post

InfoSec Write-ups

A collection of write-ups from the best hackers in the…

F3D.

Written by

F3D.

@f3d__ · security researcher · hacking · pentesting · beat-making · crypto

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

F3D.

Written by

F3D.

@f3d__ · security researcher · hacking · pentesting · beat-making · crypto

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch

Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore

Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store