Aftermath of Deception – How we defeated Facebook’s Password Recovery mechanism “just in rage” !
At the very starting of this historical article, I extend my sincere thanks to the 346 Facebook friends, who allowed us the misuse of facebook to fight the treachery which that wicked Doll had incurred on Amar. And, I do have realized that sincerity and rage when mixed together produce amazing results. Thank you friends, for isolating the world for those couple of hours, every day, in weird timings, when we used to experiment your account for generation of password reset codes.
Lets discover it as a sequence of events. When Dolly, ditched Amar, and left him dried of all money and emotions, there was this agony, a silent rage which was circulating in his blood. This rage started coming to shape, when he met his friend “Gillu”, from one of the most renowned start-ups of India (Zomato). Gillu’s ideas were wild and scary, he even promised Amar, the best internet writer for just 5K per article, who could destroy the character and bring to chaos the whole bloody system in which she was living. Amar, refrained from the idea of outsourcing the literature, as he wanted to narrate things himself (which he most obviously is pathetic at). However, one of the very wise advices of Gillu was, to reach all of her contacts, and somehow convince them to read the story.
Switching to first person – me
So, here started the hunt for contacts. I in my stupid rage and spree to forget her had deleted all her messages and any details I had of her. This made my life tough, because Android was all I used. Anyways, that was not a big deal, thanks to Ming, who recovered the images and messages back for me, although, did not allow me to even add an extra file to my phone for three damn weeks. I along with Prateek, Ming and with inputs from Gillu, started making a social email discovery protocol, in which you would only be requiring a connection to one social network, and this is where LinkedIn helped. From there we scanned out a list of contacts, and made trees branching off to nodes which were nothing but Google Search Strings. And this was a total failure, as we could only make out 50 or so contacts, in which around 17 were redundant. So, there was an acute need of something more concrete and reliable. Which apparently was Facebook? We started exploring the possibilities.
Now to be honest, Facebook recovery is fucked up, you need to be silent enough, either you gather the password and silently steal all the contacts, or have a time span of at least 48 hours to gather all the contacts after resetting the password. To isolate the Facebook from the user, you need to isolate his/her email id from them. And to isolate email id from them, you have to mess things up very badly. Dolly’s Facebook recovery question was weird, to which I thought the answer was me, but come to what, you don’t know how many Amars would have been in her life, so I just gave up framing answers for that. Now there is one thing which is funny in Facebook, they always, give you two options to recover password, either click on the link provided in the recovery email, or use the recovery code.
Facebook Recovery Code: Now this code, is generated by some algorithm, but what is that? So my team of think tanks, including Prateek and Ming, started experimenting on our Facebook accounts, and we realized we needed more and more account, about 200. If we started brute-forcing on madame’s account, it might get locked, and she might get email alerts. So, we added a pop-up Trojan installer in my website, which would only respond to requests from IP 14.98.XXX.XXX. Our lady of light uses Tata Indicom, and that is the IP range they award in Mumbai. And this worked. Ignorant she; allowed the pop up. The details of this trojan, would be covered by Ming, if he wants to.
So, now I send a mail to many of my trusted brotherhood companions over Facebook to allow me a misuse of their Facebook ID, and generally analyze the password recovery code. You wont believe, I went to Indonesia and lived with Ming for a week to do this. Prateek would support online.
The Analysis: We analyzed the Facebook password recovery code for almost 300 accounts, and 17 accounts we kept as pilot accounts, where everything would remain perfect. We were researching in the direction to find out the PRNG which they were using, and focusing completely on following,
We thought the generator should also have several other properties; it must be resistant to analysis of its input data. An attacker who recovers or is aware of a portion of the input to the generator should be unable to use this information to recover the generator’s state. As an extension of the above, it should also be resistant to manipulation of the input data, so that an attacker able to feed chosen input to the generator should be unable to influence its state in any predictable manner. An example of a generator which lacked this property was the one used in early versions of the BSAFE library, which could end up containing a very low amount of entropy if fed many small data blocks such as user keystroke information.
I personally thought it should be resistant to analysis of its output data. If an attacker recovers a portion of the generator’s state, they should be unable to recover any other state information from this (ideally, the generator should never leak any of its state to the outside world). For example recovering generator output such as a session key or PKCS #1 padding for RSA keys should not allow any more of the generator state to be recovered. Ming was stuck on only one point and I don’t know why Prateek supported him, he thought the generator should also take steps to protect its internal state to ensure that it can’t be recovered through techniques such as scanning the system swap file for a large block of random data. The implementation of the generator which Facebook might be using should make explicit any actions such as mixing the pool or extracting user data in order to allow the conformance of the code to the generator design to be easily checked. This is particularly problematic in the code used to implement the PGP 2.x random number pool and user data is significant here, which (for example) relies on the fact that a pool index value is initially set to point past the end of the pool so that on the first attempt to read data from it the available byte count will evaluate to zero bytes, resulting in no data being copied out and the code dropping through to the pool mixing function. This type of coding makes the correct functioning of the random pool management code difficult to ascertain.
The moment of Truth: It was on a Friday, half drunk when the series analyzer which Ming had written for Yahoo, told us that there are certain factors on which the code is dependent, and it certainly is not a Pseudo Random Number. Holy fuck ! This password recovery code wasn’t a random number generated by any PRNG. It was a function of several parameters. This moment we realized, we should throw all our code so far.
We started again, those friends were really patient, whose accounts we were misusing, but then as Prateek would say, everything is fair in love and war, and this was a world war for me. I badly wanted to expose her infront of her ownself.
The Universal algorithm for generating Facebook password reset codes, is based on
Where, g(y) will give the numeric code,
Dl = Date of last password change,
Dnl = Date of nth last password change,
DoB: DoB as mentioned on Facebook,
H (x): Some set of private information, and set changes as per each profile.
Lf : is the most interesting one, it’s the string name of the last person you conversed with. And if your account is new, and you haven’t conversed with any one, the Facebook password recovery fails, yes this is a BUG. Yes you have to considerably know the person very well, which I knew of course.
Enough details, rest are reserved for Ming’s new challenge to Facebook profile.
The Day of Operation: After around 12,000 generations, and the later success, we were sure this algorithm of our worked, atleast for those 300 accounts we were operating on. A day of complete blackout was decided, and we already knew the ETA of a sensible victim. The ETA on Google Account for a sensible victim is around 36 hours, and ETA on a facebook account if considering the email access in mind, is a few minutes after the email is recovered. We needed Facebook account for at least 48 hours to deactivate, and reactivate and being in comfort zone, extract all contact details. Using the trojan data, Ming and I managed to blackout emails for our babe, and take control of her facebook, which although deactivated it for 24 hours. Now, we had the Facebook account, we requested for download the complete Facebook information. This took us hours to gather it, since Facebook is a bit slow preparing it. However, to our surprise, the archive did not contain email ids. Holy Crap ! again, and next morning my secret baby regained control of her Facebook account and Google account.
Disaster Recovery: Using the old password, and my ability to recognize her friends, we re-entered her account, quickly coupled it with Yahoo and extracted all the email ids. This sent off a few alerts, but was fine, as disaster recovery by the name means some disaster might have happened. Mind it, all this was done using my proxy switcher script, which bounced my requests through 8 IPs, from Malaysia, Indonesia, Japan, Georgia and India.
There is, and there was a horizon of evilness. She exhibited her’s, and now its time to exhibit ours.