The results for the Ethical Hacker Network Challenge – Miracle on Thirty Hack Street are finally in and I won a Technical Honorable Mention!
The challenge was pretty good and was focussed on Facebook security or insecurity rather. Before I list my answers to the challenge, make sure to check out my blog post on Facebook privacy settings guide. The objective of this hacking challenge was to access a file on someone’s account. The way to access that person’s Facebook profile was to add that person’s friend to my friends list and then misuse the “share with friend of friends” privacy setting on Facebook.
Check out the challenge first before scrolling down and see if you can solve it first.
Challenge Question # 1: What is the name of the following mathematical property? If a=b and b=c, then a=c.
The mathematical property is that of a Transitive relation
Challenge Question # 2: What FQL query or API call can be used to retrieve information about vacations from Kris Cringle’s (uid 100000565751882) Facebook account?
fql.query is : SELECT content FROM note WHERE uid = “100000565751882”
The output
While nothing can be as important to me as the night of the 24th, vacations with Mrs. Claus are a very close second! (Don’t let her know that.)We have done many things over the years. disney was a blast. I will stay at the Swan and Dolphin again!hawaii was tons of fun, even if Mary got a sun burn.washington dc was impressive. I really liked the National Cryptographic Museum. The Enigma machine was cool.norway was definitely the best though. Not only will I always remember that trip, but it will be part of my daily life from now on!<Photo 1><Photo 2><Photo 3><Photo 4><Photo 5><Photo 6><Photo 7>
Challenge Question # 3: What Facebook privacy setting allowed this data leakage? What is the default value of this setting?
The privacy setting is Posts by Me which controls privacy settings for status updates, links, notes, photos, and videos.
The default privacy setting is not “Everyone” as a different account who is not a friend of Fred Gailey returns an empty string to the fql query from Question #2. This also rules out “Only Friends” option as well. The conclusion is “Friends of Friends” privacy setting. Santa needs to strengthen his Facebook security
Challenge Question # 4: What is the text from the decrypted message from the Judge?
The hints for the passphrase were the lowercase locations of disney, hawaii, washington and norway.
Trying them resulted in the secret passphrase being norway. The decrypted pdf file content:
December 9, 1901Dear Mr.Santa,My mom asked me to write you this letter with my Christmas wish list. I’ve always wanted a Righteous Bison Indivisible Particle Smasher for Christmas. I will use it for good – I promise!Here is a picture:<attached picture>I’ve tried to be a very good boy all year.Thank you,Henry X. HarperAge 10P.S. My middle name is “X-mas”!P.P.S. Someday, I hope to be a judge when I grow up!
Bonus Question: What other information can you pull from the Kris Cringle Facebook account (uid 100000565751882)?
1. Photo Albums and Profile Picture
http://www.facebook.com/photos.php?id=100000565751882
http://www.facebook.com/album.php?aid=-3&id=100000565751882
fql query:
SELECT aid, cover_pid, owner, name, created, modified, description, location, link, size, visible FROM album WHERE owner=100000565751882 AND aid IN (aid)
Gives us the link to all the 18 photos and profile picture links. From there, we can navigate to the full four photo albums of Hawaii, Disney, Washington and Norway.
2. Profile picture, profile last updated time, timezone, locale, notes count, note title
fql query:
SELECT name, pic, affiliations, profile_update_time, timezone, notes_count, locale FROM user WHERE uid=100000565751882
Profile picture: http://profile.ak.fbcdn.net/v22939/1987/118/s100000565751882_350.jpg
Profile updated: 1260040422 UNIX time or Sat 5 Dec 2009 at 7:13:42PM GMT
Timezone: GMT -5 or Eastern Standard Timezone
Notes Count & Title: 1 note called Vacations