One Link Facebook

January 11, 2012, by | Start Discussion

Can Facebook accounts be hacked? Is it be possible to access your account without your permission and without knowing your username and password? Unfortunately “YES” is the answer.

Yes it is possible and that too with a single link, a link which can bypass all the authentication and security mechanism implemented by Facebook for user security and privacy. No need of username, password, no checkpoint, and neither any geo-location restriction, most importantly there is no active session created, so a user will never be able to know that someone accessed his/her account.

What we need is just a key, a random combination that can hit the lock and open it for you. One of the most interesting link looks like http://fb.me/xxxxxxxxxxxxxx, where series of “x” are the 14 digit random key with numbers and alphabet in both caps, here targeting this particular link can be more beneficial as it can harvest many accounts. This is the only link generated by Facebook with its URL shortening feature which does not contain any user specific information.

The link mentioned above is generated by Facebook by its URL shortening feature. The original link behind this shorten URL looks like
http://m.facebook.com/story.php?share_id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx

This is the link generated for your shared content on Facebook, so whenever someone comments on your shared content this link is generate and sent to your registered cell phone number with the comment made. Here “share_id” is the unique id of the share content, “mlid” is the unique numeric id of the Facebook and “l” is the 8 character long random string, combination of numbers and alphabets in both caps. To make this link working one need to know only the value of “mlid” and the “l”, the value of “share_id” does not matter for this.

And there is one more type of the link, this is the link generated when someone comments on your photo or comments on a photo after your comment or tag you in a photo. The link looks like
http://m.facebook.com/photo.php?pid=xxxxxx&id=xxxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx

Here “pid” is the unique id of the photo on which the comment is made or tagging is done, “id” is the unique Facebook user id of the user who made the comment or tagged you in, or we can say that it is the Facebook user id of the user due to whose action this link and notification is generated, “mlid” and “l” are the same as they were in the previous mentioned link. Only “mlid” and “l” are needed for the link to work and the remaining two can be any random value.

Then as the link discusses first is the shortened for of the link generated for the share content, the same is true for this link, but the shortened for look slightly different

http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy

Here series of “x” is the same as the “id” in the long URL and “y” as the value of “l”

A question arises what can be done using this particular method to hack and access the account? Here a hacker can run a script to check all the possible combinations for a successful entry and can get the access to millions of random Facebook accounts and if lucky may even get the access to Mark Zuckerberg’s profile, seems scary, well this is just the tip of the ice berg.

This link is generated by Facebook itself for the convenience of those users who choose to receive the notification by SMS on their cell phone and it will give them direct access to their account without the need or entering username and password every time to view who commented or liked etc. Every time someone comments on your photo, or on your link, tag you in or comment after your comment on a photo or link you will receive a notification by SMS and this will contain this link. Here we simply cannot neglect the threat of social engineering as the link is on your cell phone and anyone who can access your phone can also access your account.

Facebook now fixed it a bit, earlier one key (“l”) was used repeatedly for two weeks, but now it is fixed to expire after every use. Here fact is that very few users user this link so it would not expire for those unused links.
The only way by which one can prevent his/her account from being accessed this way is by not opting for receiving the notification by SMS or if already registered then by opting out from this service, i.e. to avoid it totally.

A full disclosure can be read here http://withanand.blogspot.com/2011/12/facebook-security-bypassed-with-just.html with a video demonstration.

Anand Kishore Pandey, has just begin his journey in the world of cyber security and works as an Associate Consultant in K R Information Security Solutions and is responsible to conduct Vulnerability Assessment, Penetration Testing and ISO 27001 Implementation.

Leave a Reply