Cracking the FaceBook Session

Just watched a 3 part series on YouTube. It was from DefCon 18. Dude was looking to exploit another guy on FaceBook. He noted that FaceBook uses PHP. And PHP is open source, including its session management code. When you log into FaceBook, you get a session which is nothing more than a random string.

The session string is stored as a cookie in your browser. PHP session creation uses a 160 bit string. It would take millions of year to brute force such a string. However you can study the properties of the string to narrow down the possible values it might contain. Then you can narrow down the bits that are truly random, and break down the door.

One part of the string is the IP address. You can grab this by sending a person to your web site. Another piece of the string are two random number seeded with the web server start time. Cause the server to reboot, and you will approximately know when the start time is.

So after narrowing down the cookie, our friend managed to narrow the random bits down from 160 to 20. Now 20 bits can be cracked in a few seconds. He measured that it takes on average 500k attempts to guess 20 bits of random numbers. Good stuff. Getting back to FaceBook, they actually use a modified version of PHP called Hip Hop. And after our boy figured out how to crack the session cookie, PHP was patched to make it harder to crack.

Maybe next time I will also go over how this dude can figure out where you are geographically located by hacking your router. I love it.