Aftermath of Deception – How we defeated Facebook’s Password Recovery mechanism “just in rage” !
At the very starting of this historical article, I extend my sincere thanks to the 346 Facebook friends, who allowed us the misuse of facebook to fight the treachery which that wicked Doll had incurred on Amar. And, I do have realized that sincerity and rage when mixed together produce amazing results. Thank you friends, for isolating the world for those couple of hours, every day, in weird timings, when we used to experiment your account for generation of password reset codes.
Lets discover it as a sequence of events. When Dolly, ditched Amar, and left him dried of all money and emotions, there was this agony, a silent rage which was circulating in his blood. This rage started coming to shape, when he met his friend “Gillu”, from one of the most renowned start-ups of India (Zomato). Gillu’s ideas were wild and scary, he even promised Amar, the best internet writer for just 5K per article, who could destroy the character and bring to chaos the whole bloody system in which she was living. Amar, refrained from the idea of outsourcing the literature, as he wanted to narrate things himself (which he most obviously is pathetic at). However, one of the very wise advices of Gillu was, to reach all of her contacts, and somehow convince them to read the story.
Prateek.
Switching to first person – me
So, here started the hunt for contacts. I in my stupid rage and spree to forget her had deleted all her messages and any details I had of her. This made my life tough, because Android was all I used. Anyways, that was not a big deal, thanks to Ming, who recovered the images and messages back for me, although, did not allow me to even add an extra file to my phone for three damn weeks. I along with Prateek, Ming and with inputs from Gillu, started making a social email discovery protocol, in which you would only be requiring a connection to one social network, and this is where LinkedIn helped. From there we scanned out a list of contacts, and made trees branching off to nodes which were nothing but Google Search Strings. And this was a total failure, as we could only make out 50 or so contacts, in which around 17 were redundant. So, there was an acute need of something more concrete and reliable. Which apparently was Facebook? We started exploring the possibilities.
Now to be honest, Facebook recovery is fucked up, you need to be silent enough, either you gather the password and silently steal all the contacts, or have a time span of at least 48 hours to gather all the contacts after resetting the password. To isolate the Facebook from the user, you need to isolate his/her email id from them. And to isolate email id from them, you have to mess things up very badly. Dolly’s Facebook recovery question was weird, to which I thought the answer was me, but come to what, you don’t know how many Amars would have been in her life, so I just gave up framing answers for that. Now there is one thing which is funny in Facebook, they always, give you two options to recover password, either click on the link provided in the recovery email, or use the recovery code.
Facebook Recovery Code: Now this code, is generated by some algorithm, but what is that? So my team of think tanks, including Prateek and Ming, started experimenting on our Facebook accounts, and we realized we needed more and more account, about 200. If we started brute-forcing on madame’s account, it might get locked, and she might get email alerts. So, we added a pop-up Trojan installer in my website, which would only respond to requests from IP 14.98.XXX.XXX. Our lady of light uses Tata Indicom, and that is the IP range they award in Mumbai. And this worked. Ignorant she; allowed the pop up. The details of this trojan, would be covered by Ming, if he wants to.
So, now I send a mail to many of my trusted brotherhood companions over Facebook to allow me a misuse of their Facebook ID, and generally analyze the password recovery code. You wont believe, I went to Indonesia and lived with Ming for a week to do this. Prateek would support online.
The Analysis: We analyzed the Facebook password recovery code for almost 300 accounts, and 17 accounts we kept as pilot accounts, where everything would remain perfect. We were researching in the direction to find out the PRNG which they were using, and focusing completely on following,
We thought the generator should also have several other properties; it must be resistant to analysis of its input data. An attacker who recovers or is aware of a portion of the input to the generator should be unable to use this information to recover the generator’s state. As an extension of the above, it should also be resistant to manipulation of the input data, so that an attacker able to feed chosen input to the generator should be unable to influence its state in any predictable manner. An example of a generator which lacked this property was the one used in early versions of the BSAFE library, which could end up containing a very low amount of entropy if fed many small data blocks such as user keystroke information.
I personally thought it should be resistant to analysis of its output data. If an attacker recovers a portion of the generator’s state, they should be unable to recover any other state information from this (ideally, the generator should never leak any of its state to the outside world). For example recovering generator output such as a session key or PKCS #1 padding for RSA keys should not allow any more of the generator state to be recovered. Ming was stuck on only one point and I don’t know why Prateek supported him, he thought the generator should also take steps to protect its internal state to ensure that it can’t be recovered through techniques such as scanning the system swap file for a large block of random data. The implementation of the generator which Facebook might be using should make explicit any actions such as mixing the pool or extracting user data in order to allow the conformance of the code to the generator design to be easily checked. This is particularly problematic in the code used to implement the PGP 2.x random number pool and user data is significant here, which (for example) relies on the fact that a pool index value is initially set to point past the end of the pool so that on the first attempt to read data from it the available byte count will evaluate to zero bytes, resulting in no data being copied out and the code dropping through to the pool mixing function. This type of coding makes the correct functioning of the random pool management code difficult to ascertain.
The moment of Truth: It was on a Friday, half drunk when the series analyzer which Ming had written for Yahoo, told us that there are certain factors on which the code is dependent, and it certainly is not a Pseudo Random Number. Holy fuck ! This password recovery code wasn’t a random number generated by any PRNG. It was a function of several parameters. This moment we realized, we should throw all our code so far.
We started again, those friends were really patient, whose accounts we were misusing, but then as Prateek would say, everything is fair in love and war, and this was a world war for me. I badly wanted to expose her infront of her ownself.
The Universal algorithm for generating Facebook password reset codes, is based on
Where, g(y) will give the numeric code,
Dl = Date of last password change,
Dnl = Date of nth last password change,
DoB: DoB as mentioned on Facebook,
H (x): Some set of private information, and set changes as per each profile.
Lf : is the most interesting one, it’s the string name of the last person you conversed with. And if your account is new, and you haven’t conversed with any one, the Facebook password recovery fails, yes this is a BUG. Yes you have to considerably know the person very well, which I knew of course.
Enough details, rest are reserved for Ming’s new challenge to Facebook profile.
The Day of Operation: After around 12,000 generations, and the later success, we were sure this algorithm of our worked, atleast for those 300 accounts we were operating on. A day of complete blackout was decided, and we already knew the ETA of a sensible victim. The ETA on Google Account for a sensible victim is around 36 hours, and ETA on a facebook account if considering the email access in mind, is a few minutes after the email is recovered. We needed Facebook account for at least 48 hours to deactivate, and reactivate and being in comfort zone, extract all contact details. Using the trojan data, Ming and I managed to blackout emails for our babe, and take control of her facebook, which although deactivated it for 24 hours. Now, we had the Facebook account, we requested for download the complete Facebook information. This took us hours to gather it, since Facebook is a bit slow preparing it. However, to our surprise, the archive did not contain email ids. Holy Crap ! again, and next morning my secret baby regained control of her Facebook account and Google account.
Disaster Recovery: Using the old password, and my ability to recognize her friends, we re-entered her account, quickly coupled it with Yahoo and extracted all the email ids. This sent off a few alerts, but was fine, as disaster recovery by the name means some disaster might have happened. Mind it, all this was done using my proxy switcher script, which bounced my requests through 8 IPs, from Malaysia, Indonesia, Japan, Georgia and India.
There is, and there was a horizon of evilness. She exhibited her’s, and now its time to exhibit ours.
i would say ..its gona be interesting…
haila.. why do you think so ?
Genius…..Bhai tumne to kuch zyada hi mehnat kar di… Jitne shiddat se pyaar kiya utni hi shiddat se war bhi..
Abey har cheej dil laga ke karni chhaiye..
Be sure to check out the legalities of whatever you are doing.
Nice website over here! I’ll subscribe
Thank you so much for providing individuals with an exceptionally nice possiblity to read from this website. It’s always so cool and also packed with fun for me personally and my office acquaintances to search your website at least three times every week to see the latest guidance you have got. And indeed, I’m also always fascinated with the remarkable tips and hints served by you. Selected two tips in this article are in truth the best I’ve ever had.
Thank you a lot for sharing this with all folks you really understand what you are talking about! Bookmarked. Kindly also talk over with my website =). We can have a link alternate arrangement among us
Just wish to say your article is as astounding. The clarity to your publish is simply cool and that i can suppose you are a professional in Security. I know Ming personally, and I am glad you two could figure this out. I support your cause. Well along with your permission allow me to grasp your feed to keep updated with forthcoming post. Thanks a million for involving me into this noble cause, and please continue the gratifying work.
i ve read almost all of your posts, at one end when i am surprised by the efforts you put in to attain her, and the efforts you have lately put in to expunge all this, at the hinge of my mind i feel was it worth it, was she worth it ? you must have seen my earlier comment, we all know your rage is perfectly valid, and we all support you through this, but these activities are gross, i guess she already has enough stigma to carry throughout her life, you should take these contents offline now. some people in world are defaulters, you can’t change them, but you can try to change them. she is one of those. move on amar.
Move on ..? How exactly do you define move on Shikha..? If you all want to call me a loser, please go ahead and call me. I am moving on, I just want to make sure, every guy in this world who is willing to do anything for his girlfriend should realize that sometimes, he walking on a dark path.
Oye, awesome man, how did you guys crack the payload of it? I am sure, you won’t ever reveal, but is this all symmetric you did or linear ?
waise ek baat kahun, talk to Pandu, and seriously think of writing a novel man. I will fund it. waada raha !
Saale abh yaad aa rahi hai tujhe, there is no payload involved dude. Ming has a series analyzer, which he wrote for Yahoo! Payload would have been involved when we would be dealing with random data! But I am glad you stopped by and posted this comment. This matters a lot to us, after all you were a guru to us always !
Amar, is this your blog.? I had hard time figuring it out. You should have consulted Shawn’s work on the sequence analyzer, which returns an index over 10, to what extent a series is random, it would have atleast saved you couple of days, I ve seen Ming’s sequence analyzer, brilliant it is, but it has overhead and payload. I was also a bcc in the mail to facebook, you have not used effective words but this work is appreciable. dude, what a rage ! Would you ever be provoked to such an extent again ?
Yes sir, you are at the right place.
Anyways, I did write to Shawn, and for that matter I wrote to everybody .. but very few replied back to me, and Ming was in Tokyo at the time, when this thing showed up. Anyways thank you boss. The mail to Facebook was drafted by Prateek.
Pingback: Our Russian friend Dojovik & Our email discovery protocol – a story of how she made him rich… | Dil Ka Achaar – Guest Stories
very nice site. good job. keep it up. although i am a lady, but i do understand the pain u must have gone through !!
Today is documentation indisposed, isn’t it?
ha ha ha ha … this has been tried earlier.. i found this article very interesting, atleast ur knowledge on PRNGs. it will definitely add to our knowledge
Hello friends, nice article and nice urging commented at this place, I am in fact enjoying by these.
Divya recommended your website and i’m glad he did because it is very informative and entertaining. Your narration is worth appreciating, let us know more about your technical adventures in this whole story.
i never knew we could search for something like that it’s interesting and something i might look into when i find some free time. tell me is it generally what you term as hack attempts ??
there are many of the articles over internet but this one seems to be taking most of the time. i loved reading. If you could discuss more about the PRNG which u managed to attain. Did you guys write some paper. Doing all this over a break-up is crazy software programming !!
I think Aftermath of Deception, is a solid blog article and you do a solid job of posting in depth. Tommie –
Have you possibly considered including a bit more than your content pieces? What i’m saying is, whatever you claim tend to be valuable and every thing. Having said that think about if you happen to incorporated some good photographs or even videos to offer your own discussions further, “pop”! Your content is very useful but along with pictures in addition to videos, your blog could quite possibly definitely end up one of the primary in its arena. Fantastic weblog! I am willing to offer you legal aid, lets take that bitch down. I have also mailed you.
keep it up! :p All the Best!
By the way Im going to save this site to my favorites.. You should try on proffsnl writing man. you are awesome at it..
Amar, Have you considered including a little graphical samaan? Come on, man, whatever you express are usually fundamental and every thing. Start putting in more vivid pictures, if you are doing something, do it with complete passion. Dude, amar akshat ko laundiyaa chutiya bana jaaye.. thoda ajeeb lagta hai.. Your articles are fantastic nonetheless together with photographs and films, this website can without doubt possibly haunt her for life !!!
Lagey raho ustaad !
good one. recently discovered this website. good writeup. passion indeed commendable. cant comment if you are doing right or wrong (since right/wrong is a fluid concept). you should venture into writing.
If only you could convince Amar to venture into writing, coz what I write comes direct from his heart, I just shape ‘em !
Pingback: हमरी जिन्दगी का एक्के मक्सद है… बदला (I only have one objective in life… revenge) | Dil Ka Achaar – Guest Stories
The following time I read a weblog, I hope that it doesnt disappoint me as significantly as this 1. I mean, I know it had been my choice to study, but I in fact thought youd have some thing interesting to say. All I hear is actually a bunch of whining about some thing that you could resolve in case you werent also active in search of consideration.
well the whole issue is vastly donnybrook, at a point you wont expect us to reveal details. But we did, we took a risk, the least you could do it just google for it, and find live evidences of it, or claim your point more silently ! either way I don’t give a fcuk !
i totally agree with you! kill the b***ch
Sweet blog! I found it while searching on Yahoo News. Do you have any tips on how to get listed in Yahoo News? I’ve been trying for a while but I never seem to get there! Cheers
I am glad that Yahoo news finally has my traces again !
I have got 1 recommendation for your webpage. It appears like there are a few cascading stylesheet problems while launching a selection of web pages in google chrome and internet explorer. It is running alright in internet explorer. Probably you can double check this.
Works fine for me.
I was basically wanting to know if you ever considered replacing the design of your site? Its very well written; I really like what you have got to say. But maybe you could add a little more in the way of content so people can connect to it better. Youve got an awful lot of wording for only having one or two images. Maybe you can space it out better?
Re: Whoever made the remark that this was a good website actually needs to have their head evaluated.
You need to really moderate the remarks listed here
Dude, seldom do i find people with such craze and adaption. But, mind the laws.
This blog is pretty good! hats off for all you did and what you are doing