Sending a message from any user to anyone. ̶ $ ̶6̶0̶0̶ Free;)

Some news from the exploit market

There are various exchanges of exploits for the introduction to the excursion of the case, and today on one of them - 1337day.com, an exploit appeared with the following name - “ Facebook Send Messages From Anyone 0day ” with a price of $ 600 ...

So, the beginning of the story. Once again, checking 1337day.com and seeing the exploit became immediately interesting, since such cases (exploits for services where there is a bugbounty) are rare. Having opened the exploit, we see a price of $ 600 and the following description:

This is an exploit.

First of all, we drive in Google and find the video demo of the exploit downloaded a few hours ago:


')
After reviewing which you can understand the scheme of the exploit in a matter of seconds, knowing the work of facebook. Facebook gives each user mail, such as username@facebook.com . username - is public, comes after facebook.com/ username . This is the first moment.

The second - if you send an email to username@facebook.com - the message will go to the general chat (where there are regular messages). Well, if the letter comes from the mail to which any account is registered, we will receive a letter from this user. And the moment, if you have attached emails to your account, you can use any of them. Those. knowing the mail to which the user is registered, we can send messages from him. But there are 2 differences:

• The user from whom we are writing a message - it will not be in the sent
• The message will be marked with a very small icon.

Cooking attack

To repeat the exploit, it is enough to raise your smtp server (for example, debian)
sudo apt-get postfix
and put sendemail
apt-get install sendemail

Next is one line:
sendemail -f from@gmail.com -t username@facebook.com -u subj -m message
Works is done;) And yes, the PTR record, from where the helmet is required (that is, the domain in the postfix configs). Otherwise the messages will not reach.

Of course, we decided to report this first (in FB). And after some search I gave some more information that this is already a very old feature, and a similar exploit is still on sale on the same resource, but for $ 700
1337day.com/exploit/description/20296
Where in the comments you can see that people use it for over 2 years. Well, the exploit is still on sale ...


Demo from 090h

All Fridays and good weekends;)

upd: a minute ago answered from FB:

Hi,

The ability to deliver unauthenticated messages is a core "feature" of how SMTP email operates. Essentially email messages are spoofable by design. Facebook products that integrate with SMTP validate the email message whenever possible (with SPF, DKIM, and / or DMARC). It would not be necessary for you to verify this message.

More information is available here: www.facebook.com/help/200366226674864