Facebook App Access Token Exploit



Last week, I was opening my Dayz Game Servers (checkout my post here)  so it was an urge for me to advertise the server in order get more players. Facebook and Twitter are the 2 social networks that came in mind first. It also came to my attention that there are a lot of people selling Facebook Fanpage Like/Subscribe and Twitter's Follow, Fiverr also offers a 5 bucks service for 1000 likes on anything on facebook (i'm selling mine Fiverr 5 bucks for 1000 likes :) order if you need).

Of course as how curious I am, I won't let them take money away from me but in fact utilize that idea to benefit from. I did a Google search but mostly the code that people share around does not actually work, or pretty much attached with backdoor and shell scripts. Think about it, you work hard for your meal so you do not want anyone to take it away from you. However, sometimes you let them taste a little bit of it after you spoiled it :). I'm pretty much working on the code again for a public website. In the meantime, i will share my knowledge which I've been gathering in order to do the Auto Facebook Like.

The idea comes from the API call of Facebook App using Access Token.

For the nature of this article which is just to share my knowledge, I will not show you the work around how to avoid warning message from facebook or how to hide your link and make it look real.

Consider the URI below:

<Shorten URL>

 What it does is simply take you to your facebook, then connect to the HTC Mobile App which is a real (or may not) app. It's not suspicious until you look closer at the parameter where it asks for the: publish_action, user_likes, user_status, user_photos etc ... Beside asking you to join and use the HTC facebook app, it also asks to use all your info such as: user_notes, user_photos, user_status etc ... Note the the app can never access those information unless you click "Allow". Let's try to login using my fake account:


As you can see it will ask to access my facebook to post, I will now let them do everything in the nature of this article, just keep clicking "Okay" till you get this warning.


If you have paid enough attention to the screen, you will see before the warning message appears, it was an URL with your access token and just a "Success" message. Since we are now seeing the message, we are ensured that Facebook actually knows how people take advantage of their system to do something in the shadow. *There is a way to work around this problem but it's not necessary for me to say it here*

Now in order to see your token, just right click on the URL website and choose "undo". Now you can see your token which is the remaining of #access_token=.... (without &expires_in=0 at the end)




As now you are having our own token, supposed that you give it to someone else or some website, let's see what other people can do with "your" access token. You can experience it by copy your token and use any other PC/laptops, or at your current PC if you know what I'm talking about :)

With your token, you can now see which app is actually accessing your profile. Now copy this link to your browser and paste your token after access_token=... JSON format.

App Info:
https://graph.facebook.com/app?access_token=


This URL will give you the permissions that you have granted the app:

Permission Granted:
https://graph.facebook.com/me/permissions?access_token=


More interestingly, let submit the next query (change the limit if you want to see more):

User's status (limit=x):
https://graph.facebook.com/me/statuses?limit=1?&access_token=


Now that's creepy. It is your statuses, the IDs, messages or even the long/lat coordinates where you posted. Supposed that there is no restriction, everyone could be able to see them. You get the idea, let see how other people can access your profile:

User Info:
https://graph.fb.me/me?access_token=


To sum up, I wouldn't say this is a very big exploit that is harmful to your facebook account. It is, in fact, some API calls from GraphAPI that facebook provided, but through the hands of many advantageous and clever people, it may come in handy. Knowing how Facebook API works, we can manipulate the access token and lets it do the work for us, such as: Like, Subscribe, Follow etc ... And yes people using it to make money from the SEO world

Comments

If you have any questions, please feel free to comment down here or reach me on my facebook page. I will get back to you as soon as I can! Thank you.

Archive

Contact Form

Send