The vulnerability, found by Teofil Cojocariu in June 12, Security Researcher @CCSIR.org has a simple concept but it can leave a big impact on websites of small companies or individuals. He made Open Source the script that exploits this vulnerability, leading to a Distributed Denial of Service (DDoS) of ~1Gbps using Facebook datacenter.
Update: Facebook now expires the unique identifier after few refreshes.
Facebook encountered a similar situation this year, an issue that was reported by Security Researcher Chaman Thapa (nickname chr13). Unfortunately, at that time, Facebook replied with an unexpected answer:
“In the end, the conclusion is that there’s no real way to us fix this that would stop “attacks” against small consumer grade sites without also significantly degrading the overall functionality.”
At the beginning of June 2014, Facebook introduced a new feature to refresh attachments. Teofil Cojocariu, Security Researcher at Cyber Security Research Center from Romania – CCSIR discovered the issue and reported to Facebook on June 13th. At the end of July Facebook replied back and made some limitations, although small companies will still get affected by the vulnerability.
Teofil was really excited because it seems that Facebook finally changed their attitude regarding the damage they could make by using their datacenter to DDoS victims.
“I’m happy to see that now Facebook tried to make some limitation. A step forward for protecting the internet ecosystem.”, explained Teofil for CCSIR.org.
Steps to reproduce
1. Find the biggest image on a site/server with Google.
2. Publish that link to Facebook with “Only Me” privacy option.
3. Refresh the attachment from right corner of that post while you are sniffing or simple view in browser the requests.
4. Put the needed data from request to POC script.
5. You are now able to give DDoS from Facebook Datacenter (multiple IPs are involved).
“I have tried few times this script and the maximum bandwidth was 934.06 Mbps, but we should take into consideration that I sent the traffic to one of my server that has 1 Gbps port, so I think there is no limitation on output.”, Teofil added.
Simple POC Script
Although this situation is solved, please keep in mind that there are so many Cloud services out there free or with small fee rates that could be used to denial critical infrastructure services with a minimum effort.
Jun, 2014 – Facebook adds new feature to refresh attachments.
Teofil – Jun 8-12, 2014 6:19pm – Discovered in one of this days.
Teofil – Jun 13, 2014 6:19pm – Reported to Facebook.
Facebook – Jun 13, 2014 6:22pm – Automatic reply from Facebook.
Facebook – Jun 14, 2014 1:00am – A Security Engineer from Facebook said that this is interesting and forward the problem to the responsible team.
Facebook – Jul 28, 2014 8:13pm – Facebook replied telling him to test it again because there was a fix on the server.
Teofil – Jul 31, 2014 10:59pm – Message that the problem seems to be fixed, but the limitation are quite high, so small companies can still have problems.
Facebook – Aug 1, 2014 1:17am – 500$ Bounty 🙂