A few days ago, I was surprised to see that my website’s logs were filled with security testing attempts originating from an IP address in Indonesia. One of these attempts was a successful XSS attack targeting the MyBB plugin within one of my online forums.
NOTICE: In this article, I will not use the actual Facebook attacker’s ID and this guide is only for sharing knowledge.
As mentioned by @badwolves1986 at http://devilzc0de.org/forum/thread-11110.html, there was a XSS bug in the plugin fbconnect for MyBB.
When I discovered the bug, I didn’t manage to ‘patch’ the bugs. I only managed to add “additional permissions” to the plugin, which allowed me to update Facebook account status used for registration. Note the image below:
From there, we can get the attacker’s data. Let’s look at the database:
1SELECT uid, username, fbuid FROM [usertable] WHERE uid = '[uidattacker]'
Please note that the fbuid field will automatically exist if you install FB Connect Plugin for MyBB.
From the query above, we get the Facebook Attacker’s User ID.
What can we do next? Let’s recap again…
- We already have Facebook attacker’s user ID.
- We already have permission to update status and access data for that user ID, even when offline!
That’s right, Facebook API!
We can utilize PHP Facebook SDK from https://github.com/facebook/php-sdk.
After downloading and uploading it to the web server, let’s create a simple script to update the attacker’s profile status.
Here is an example of the code:
1<?php
2require 'location-pf-facebook-sdk.php';
3/**
4 * Facebook
5 */
6$app_id = "[your-app-id]";
7$app_secret = "[your-app-secret]";
8
9//build content
10$fbinfo = 'Your message';
11$facebook = new Facebook(array(
12 'appId' => $app_id,
13 'secret' => $app_secret
14));
15$response = $facebook->api(array(
16 'method' => 'stream.publish',
17 'uid' => '[attacker-user-id-from-the-database]',
18 'message' => $fbinfo
19));
20echo $fbinfo;
21?>
After that, upload it to your site and execute the script. Then, you will have successfully updated the Facebook attacker’s account status.
From here, we learn a few things:
- Covering tracks are necessary when performing attacks on a website.
- Do not use your real identity during illegal penetration testing.
What if I’ve already given an app permission to access my data?
Log in to http://www.facebook.com/settings/?tab=privacy, then select “Edit Settings” under the Apps and Websites menu.
In the “Apps you use” menu, you can revoke or remove unnecessary apps.
For those who want to remain anonymous, be cautious with Facebook, as it truly collects our data.
Don’t forget, always use ’extra protection’ when performing illegal activities..
