One link Facebook (Anand Pandey)
1 like5,659 views
One Link provides direct access to a Facebook account without needing a username or password by bypassing all security points through a single link. The link contains parameters like a photo or user ID and a secret key that can be brute forced or socially engineered to gain full access to random Facebook accounts. Users should be aware of these direct links and the security risks they pose.
One link Facebook (Anand Pandey)
- 1. One Link Access the account without restriction with just one link Anand K. Pandey anandkpandey1@gmail.com
- 2. Facebook • Social networking website • Founded in February 2004 by Mark Zuckerberg • Used to interact with friends, colleague and to make new friends
- 3. Facebook • Get 10 Billion hits per day • Second most visited site • More than 800 million active users • More then 250 million photos are uploaded daily • More than 900 million objects that people interact with
- 4. Number of active users 800 750 700 600 500 500 400 Number of users (in 350 million) 300 200 100 100 50 0 2007 2008 2009 2010 2011
- 5. 20 Minutes of Facebook Event Wall Comment Invites Posts Made 14,84,000 15,87,000 1,02,08,000 Link Photos Status Shared Uploaded Update 10,00,000 27,16,000 18,51,000 Friend Message Tagged Request Sent Photos Accepted 27,16,000 19,72,000 13,23,000
- 6. Facebook in News • Massive hack/spam attack • Facebook tracks users activity • Anonymous threaten facebook
- 7. Facebook Security • Unique Username • Password
- 8. Facebook Security • Check Point
- 9. Facebook Security • Geo Location Restriction
- 10. Facebook Security • Login review
- 11. Direct Link • One single link • Bypass all security points • Username • Password • Check points • Geo location restriction
- 12. Direct Link When someone • Comments on your photo • Comments on your link • Tags you • Comments after you
- 13. Type 1 http://m.facebook.com/photo.php?pid=xxxxxx&id=x xxxxxxxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx • Parameters • pid – Photo id • id – FB id of user who commented • mlid – FB id of target user • l (s52giOr8) – Secret key
- 14. Type 2 http://m.facebook.com/story.php?share_id=xxxxxx xxxxxxxxxx&mlid=xxxxxxxxxx&l=xxxxxxxx • Parameters • Share_id – FB id for sharing the link • mlid – FB id of target user • l (s59gpZr8) – Secret key
- 15. Type 3 http://fb.me/xxxxxxxxxxxxxx • URL Shortening • Contain 14 character random alpha-numeric • Use specially for shortening the magic link sent via sms when someone comments on your link • Database of random FB accounts with magic link
- 16. Type 4 http://fb.me/p/xxxxxxxxxxxxxxx.yyyyyyyy • URL Shortening • Contain “id” and “l” • Series of “x” are the FB id or user who commented on your photo • Series of “y” is the special key • Used specially for shortening the direct link sent via sms when someone comments on your photo
- 17. What you can do • Brute-force or social engineer the direct URL • Brute-force the shortened URL to hit random accounts with full access • Remember the most important • FB user ID (mlid) • Secret key (l)
- 19. Email: anandkpandey1@gmail.com Twitter: anand___pandey Linkedin: http://in.linkedin.com/in/anandpandey1