Security researcher and former hacker Samy Kamkar delivers a speech at Defcon called “How I Met Your Girlfriend” where he introduces a PHP-based method of compromising a Facebook account for strictly personal purposes. Below is the adapted text version of his talk.
So this is a discovery and execution of entirely new classes of web attacks in order to meet your girlfriend. So, before we begin, a little bit about me. I am security researcher – ‘narcissistic vulnerability pimp’ is what they are being called these days, right? I do not do security professionally, I do it for fun, like most of you guys, or some of you guys. I am known for the ‘Samy worm’1, the worm on MySpace a couple of years ago. I co-founded ‘Fonality Inc.’, an IP PBX company. And I love Lady Gaga.
You probably wonder, like, why I haven’t heard of this guy, he has done nothing for a couple of years, so why is that? They didn’t let me touch computers. It’s true. A few years ago I was raided by the Secret Service, electronic crime SAS Force. They came into my home, they took all of my computers, well my laptop, they took my phone, they took any CD’s, DVD’s, they took my Xbox. The court forbid me to literary touch computers, I was banned for life. A couple of years later I fought, and I fought, and I am now back. I can touch computers. But I am not allowed on MySpace.
Alright, so what are we going to talk about today? Talk about the web. Why the web? Honestly, you know, I got bored of the web a couple of years ago. You know, it’s really cool, there is so much you can do with it, but security is so much broader, right? There is so much cool stuff going on here at Defcon, and just in security in general, right? You have reverse engineering, you have network security, you do have web application security, there’s hardware hacking – all this cool stuff. Some people have even made ATM suspense cash, you probably haven’t heard about that, it’s really cool, new thing that they’re talking about.
But the web is actually really cool in another way. Everyone has a web browser. If you have a computer and you have an operating system, you have a web browser. So, it’s like the one piece of software that allows me to deliver code to you, and for you to execute it. It is basically code delivery mechanism that I can attack anyone, everyone has the Internet today.
It’s kinda like when the App Store came up for the iPhone, right, at that point you could deliver any sort of content that you wanted, of course Apple bans malicious content, and fortunately they give us freedom from porn.
So the web browser is just like that except no one’s guarding it. There is no one checking to make sure that your site’s not malicious, I mean obviously there are companies that are doing this in software, that’s working on this, but for a long time there hasn’t been.
So, this is my home page (see screenshot to the right), it’s probably for any of you. Anna Faris, she is amazing, I am in love with her. So I was checking out, you know, just pictures of girls on a social network as I typically do before I get in a lot of trouble. And I found her, and I think, man, she is amazing, you know, she is the kind of girl I wanna get to know.
So I am looking at her profile, looking through her pictures. I can’t really see too much, she is not my friend. Thought about that for a second. And then I thought, oh man, you know, I should message her, but then I saw she is in a relationship. Not an open relationship, it’s not complicated, she is in a relationship. So, who is this guy and how am I gonna best him. So I look into him a little bit.
Alright, so this guy is a certified information security specialist professional, chief executive officer of ‘SecTheory LTD’, co-author of ‘XSS exploits’, oh no, author of ‘Detecting Malice’2, co-developer of clickjacking – really cool technology with the really awesome Jeremiah Grossman – runs ha.ckers.org and sl.ackers.org, if you guys have been there, and is a certified ASS, which is an application security specialist.
It’s pretty impressive resume. A man who needs no introduction – Robert ‘RSnake’ Hansen (on the photo). So here is the problem: I wanna attack this guy. You know, we all know we can attack random people on the web. You know, you have a little bit of malicious content on there and you’ll get some sort of hit rate. And if you have enough visitors you will be attacking random people. But I want to do a targeted attack. To someone who is secure. You know, someone like you people, who understands security, who is probably running with a lot of technology to help secure himself.
So how do we do it, how do I attack him? You don’t, you do not attack that person. Attack indirectly. Girlfriend? That’s what I am trying to attack. So he is on Facebook. Facebook is an awesome website, it’s a social network, it’s the cool one these days. Now if we go to Facebook, we’ll see something in URL bar: index.php. And now you’re thinking, it’s PHP, it’s a computer language, right, typically used for the web. It’s an extremely common web language. I am sure all of you have at least heard of it, and many of you, I am sure, programme in it. It’s great because it’s extremely common. So it’s well understood.
The code is open source. You can all go look at it and see what’s going on in there. It basically has very good session management that everyone uses. Every single person who does PHP and uses sessions typically uses the built-in session management. If you’re using frameworks, like CakePHP or Kohana or other things – they are also using this session management.
So PHP sessions – what are they? They are basically a random string that’s generated. It’s passed either in the URL or cookies. So what are cookies? A cookie is basically a persistent piece of text that remains with your browser, I am sure all of you are familiar with that, just contains data. Typically it will contain session data. Session data is basically a random string, so that when you go to any page on that website, it can identify you with other information the server has stored locally.
So when you go to Facebook, and you log in with the username and password – they provide you a random string that is assigned to that username. If you ever go to any other pages later on, they look at that random string that you’re sending them, and they say, oh, I know this guy, this is Samy. So it authenticates you.So let’s try to attack a session. Let’s look at PHP session code (see image with the code snippet). It’s open source, so we pull up ‘session.c’. This is the function ‘session_start()’. This is what creates a session in PHP. Basically what happens is – it creates your random string right here in the snippet of code in this spprintf. It’s looking at a couple of things. It’s looking at the IP address of the person authenticating or getting this session. It looks at the epoch, which is basically a time from January the 1st, 1970, the number of seconds. It’s looking at the microseconds that that person acquired the cookie. And it’s looking at a random, just a random number that’s created.
So if we take all of that, that’s a 160 bits of entropy. When we get a little deep here, just for a little bit, so 160 bits is a lot if I wrote a Brute-force3. Let’s say I wanna become RSnake on Facebook, what I would do without brute-forcing session, that random string. But 160 bits – that’s a lot.Now, bits can be a little confusing. Let’s do a real quick primer. You know, 64 bits is not double 32 bits. Every time you add a bit – you are doubling. So just a quick primer: what we can do is a little trick, for every 10 bits you can add 3 zeros. So 10 bits is a thousand, 20 bits a million, 30 bits a billion. Also, if you can just remember the 10 bits, 0 through 9 equals – 1, 2, 4, 8, 16, 32, 64, 128, 256, 512. You can take that number to figure out what you want. So 25 bits, we know 5 is 32, and 20 bits is 6 zeros. So 25 bits is 32 million in that scenario.
So 160 bits is essentially 10^48. If we could brute-force at a 100 trillion values per second, it would take 900 quadrillion eons to brute-force. I didn’t even know what an eon was, I had to look it up, it’s 500 trillion years, that’s a lot.
So, again, 160 bits, we’re not gonna brute-force this, doesn’t matter how fast a computer you have. So let’s take a look at this a little bit closer. Well, microseconds isn’t really 32 bits. Microseconds, there are only a million microseconds per second. Well a million, if you remember, is only 20 bits, right, because there are 6 zeros. So we actually just reduced, without doing anything, 160 bits and we reduced 12 bits, and got it down to 148 bits, which doesn’t help us, that’s a lot.
1 – Samy worm (also known as JS.Spacehero) was an XSS worm developed to propagate across the MySpace social-networking site.
2 – ‘Detecting Malice’ is an eBook written by Robert Hansen (RSnake) covering different realms of online fraud and the ways to detect it at many different technical layers for fraud loss prevention.
3 – Brute-force – a method of defeating by trying a large number of possibilities.