POC for CSP-Deanonymization of FacebookMobile users

This page demonstrates an implemantation of a Proof of Concept for the deanonymization of FacebookMobile users by bruteforcing CSP-Headers.

The following websites are vulnerable:

Preconditions

This exploit requires certain preconditions:

I provide an in-depth explanation in my blog post Deanonymizing Facebook Users By CSP Bruteforcing

Caution: This check takes ca. 10 to 15 seconds to complete und transmits about 500KB of data.

Explanation

This technique makes uses of the Bruteforcing of FacebookMobile profile URLs. Since a check for all users is not feasible (neither time- nor traffic-wise, think of Facebook with more than 1 Billion users), a set of profiles has to be predefined (see Prequalification of Facebook profile URLs for some realistic approaches). Further, I'm 'only' providing a Proof of Concept and do not intend to present a full-fledged ready to use exploit, so I'll limit the predefined set to 1.000 fake profiles. This 'Group 0' well be checked by default to simulate a realistic scenario with regards to duration and traffic.

You must provide your personal profile URL in the text field below, in order for this Proof of Concept to work. Feel free to enter up to 750 profile URLs (seperated by new line) to be sure I'm not just reading your input ;) The script is going to identify 'your' profile from the full input.

No personal data will be saved, of course!

Let's go

Hint: A click on the following button will insert 500 random fake usernames in the text field. The current input will be deleted!

Caution: Please do not forget to enter you real username 'somewhere' in between!

You can find your FacebookMobile-Profil-URL by opening https://m.facebook.com/me. It'll look something like this: https://m.facebook.com/pascal.landau1. The marked part shows you username resp. the user ID.

Example input:

pascal.landau1
zuck
fake.profil.1337
Start Deanonymization

Status

© by Pascal Landau