Now you see my facebook friend list.

I have reported this simple control flow exploit to Facebook "Security" team but they didn't acknowledge that it's a bug or not. They did response first time to my report with the response, "It's not a bug". After that, I sent my explanation and POC videos but no response received after that. Anyway, I thought to post it online so that at least other users or readers can hide their private information. 

There are actually two different things I would like to share. First one talks about how to see friend list of a few profiles and second one is about taking over facebook account of close friends.

See friend list of a person without even logging into Facebook

This happens for only a couple of profiles at my side. Security settings of these people might be different than that of other ones, I didn't investigate it further. Also facebook is smart enough to ask different security questions when you keep trying from the same machine but it starts from the same question when you try from different machine. Smart enough? =P

1) Anyway, all you need to do is to get a username of the victim user. You can get username of any user through their profile link. Click on any profile and extract it from facebook.com/<username> link.

2) Then on the main screen, click on 'Forgot your password?' and search for this username on the following page.

3) After clicking on Search button, you will a page like below. It might be a little different giving different options.

4) Click on 'No longer have access to these'. It will ask email address. Give any email address which is not linked to facebook yet and click on Continue button.

5) After you click on Continue button, you shall see a screen like below;

Click on 'Recover your account with help of your friends'. That's all you ever wanted. I have noticed that option of 'help from friends' is not shown for the same user if I repeat the steps again and again on the same machine. I am still not able to find out the correct reason why it's not shown on the same machine again but it could be one of the security measures facebook might have taken.


6) Now see the friend list of the victim user.

---

And if you are wondering what someone can do with the friend list, you might want to look into this post (my emphasis is only on importance of friend list) and secondly, had it not been private data, facebook would not have given the option to hide the friend list.

Interestingly, I can see only mutual friends from this user's timeline when I am logged in but when I am logged out, I can see other friends too. 

Take over facebook account of your (close) friends

1) Follow above given steps up to 4 until you see the security question.

Typically, facebook asks 'In what city or town was your mother born?'. Knowing a person where he lives, it's not hard to guess the answer for this question. Particularly, if (s)he is your close friend or family relative and you want to harm him/her for any reason, facebook makes it easy for you. And if mother is already on the facebook, it's a bit more easy. Broadly speaking, you can call it a social engineering attack which facebook is not responsible for, but facebook should not let it happen so smoothly. I happened to guess it for my brother, just in case.
 
Once you answer the question successfully, you can reset the password. Though facebook provides 24 hour cushion to the victim, but what if the user is not so active on facebook. You get access to his/her account.

And the worst part is; you cannot change the answer for this question until you convince facebook that your account has been hacked and you go through re-identification process. That means, after you get your hacked account back, I can answer the same security question again and reset the password again. There was some conversation here around four months ago but I guess, facebook didn't bother to listen to them.

A few of the other questions are:

What's street name where you lived when you were 8 years old?
What's your pet name?

Typically most of the users answer these questions honestly, just in case if they have to reset the password, they can easily remember it. But every friend of your neighbors might also know this thing and I am sure, you don't want them to take over your account. Anyway, you got my point.

Happy facebooking =)

 P.S. I might post my facebook email communication to show how much facebook is "concerned" about privacy of its users. And I have a few POC videos for both sub-posts too.

Update-1::

I did receive a response for the first issue after a few days of posting this article. They said that it's not a bug and they are pretty confident that they will show friendlist only to the people who have logged into a computer many times before.

And for second issue, they have not responded yet. No ticket number was assigned to the bug report, so I don't know how to ask them about any update on the same issue.

Update-2::

It's interesting that someone gave a talk on the same issue at Hack In The Box conference.

Removing your traces from the internet

A few days back, I searched on the internet for my name and I was surprised to see how many accounts I created once were pointing towards me. It's a bit scary when almost any interested person can get access to the internet and get to know about me, my location, activities, photos from facebook, flicker, google+ profiles etc. So I went to each link separately and hid my personal data which I shared once a couple of years ago.

Anyway, after sometime I figured out what google account settings can do for me. They are actually pretty handy to handle this issue. Under these settings you can search for your name and it will show you all the results from google search. You can actually do the same without going to settings thing. But interestingly, it also provides you the option to get alerts from google whenever a new data on the web is linked to your profile. Cool na?

Step 1:

Go to account settings from this link. If you are not logged into your gmail account, it will ask for username and password to reach there, of course.

Step 2: (De)linking your other google accounts
 Go to Account ==> Dashboard as shown below:

Here you can actually see all of your accounts connected with your gmail account and saved on google servers. There might be other third party websites too where you logged in with your gmail account but they will not be displayed here.

You can see following things from this page:
-google account details
-alerts set up with your gmail account
-how many android devices are linked with this account
-blogger profile
-orkut profile
-picassa
-google calendars
-youtube channels list etc.

It provides a good summary of all these account and you can take appropriate action from here.


Step 3: Find your traces from internet


If you click on 'Me on web' link as shown below, you can do very interesting things. You can search yourself on google, set alerts for future data being linked to your profile and you can also review your g+ profile over here.

Step 4: De-linking other third party websites from your google accounts


Click on Security and scroll down the page to see 'Connected applications and sites'. This is where you can all the sites where you ever used your gmail account to login into their website quickly. You can actually revoke all the access from those websites.

Click on 'Review Permissions' and you shall see a screen like below.

So you can revoke access for all of the uninteresting website from this link. You don't have to go to each site separately.

Happy googling =)

Compile C programs with gcc/cygwin

Compile C programs with gcc/cygwin

Open Cygwin terminal and type $ 'cd /cygdrive; ls'. Go to particular directory of any of the shown drives.

$ cd /cygdrive; ls

$ gcc -o o.exe file1.c

If a program consists of more than one file;

$ gcc -o o.exe file1.c file2.c file3.c

If you want to take inputs from a file, instead of entering one by one from the keyboard for scanf() inputs;

$  ./o.exe < ../sum1.dat

sum1.dat is in one directory up to the current directory.

Adding vector graphics images (svg) in Latex/pdf files

Adding an image in svg format in Latex keeps the picture intact on performing reasonable zoom in  and zoom out which means, its quality is not distorted.

There are a few easy steps to create and add svg image. First we will create a very simple image using Inkscape and then add into the Latex file.

Step 1:

Download and install latest version of Inscape from here. I downloaded 'inkscape-0.48.4-1-win32.exe' file.

Step 2:
 
Create a new Default page in Inkscape and add some random rectangles and circles. You can definitely create your desired figure but right now, create only without adding any text.

Step 3:

For my test example, I created the following one. Click Save-as and choose .pdf format. There will be one dialogue shown up before pdf file is created. Choose following configurations. PDF+Latex checkbox is important here. When you click on OK button, two files are created; .pdf and .pdf_tex

 

I created following image for my testing which I changed later, never mind.

Step 4:

Go to top of your Latex document where you add/use other packages. Ctrl+c and Ctrl+v following lines there. {First line will add 'color' package}

\usepackage{color}
\newcommand{\executeiffilenewer}[3]{%

\ifnum\pdfstrcmp{\pdffilemoddate{#1}}%

{\pdffilemoddate{#2}}>0%

{\immediate\write18{#3}}\fi%

}

\newcommand{\includesvg}[1]{%

\executeiffilenewer{#1.svg}{#1.pdf}%

{inkscape -z -D --file=#1.svg %

--export-pdf=#1.pdf --export-latex}%

\input{#1.pdf_tex}%

}

Step 5:

Now we will add image we created in step-3. Add following lines in the latex document where you want to add image. We will give only name here without giving extension (.pdf_tex).

\begin{figure}

\centering

\def\svgwidth{\columnwidth}

\includesvg{test2}

\end{figure}

test2 is the file name we want to add and it should be in the same folder where .tex file is. At this point, this test2 image should be displayed in the pdf file.

However, if we add text to this file, its not displayed in the generated pdf file from Inkscape.

Step 6:

Add a text object by clicking text icon in the lower left corner as shown in following picture. Type  '$$' text here.

 Now click on arrow icon and right click on this object. Go to 'object properties'.

 Anything you type in Title and Description will be appeared in the output file. Set the value and save it as .pdf with the same settings.

Step 7:

Now recompile your latex file. It should show the text. Rest is just playing with these features.

Draw Figure with Visio:

Drawing figures in Inkscape seemed a little bit difficult to me as I was not able to figure out how to draw arrow and other simple shapes easily.

So create a figure in Microsoft Visio,

Ctrl+a, Ctrl+c and then Ctrl+v in Inkscape and save it as .pdf with the same settings.  

OR

Export it as .svg from visio, and import it into the Inkscape.

Changing the Virtualbox virtual machine(VM) disk size

After struggling for a few hours, I finally found one article and a little bit luck to solve this issue. I wanted to resize VM disk size from 8 GB to 25 GB. I was successfully able to either create a new disk and attach it separately or make it as primary but effect was not being reflected inside the machine.

Anyway, I am running Windows 7 on my host machine and Ubuntu 32-bit on my guest machine (VM). I guess, same will be true for any guest (Windows 7, XP etc.) machine.

Step 1:

Go to command prompt and navigate to the virtualbox installation folder. On my machine, it's installed at 'C:\Program Files\Oracle\VirtualBox\'. You should be able to see 'VBoxManage.exe' at this location.

Step 2:

Run following command to resize your VM disk.

> VBoxManage modifyhd "C:\Users\junaid\VirtualBox VMs\UbuntuForEverything\UbuntuForEverything.vdi" --resize 25000

Now after it, disk virtual size is changed to 25 GB but actual size remains the same. Story starts from here.

Step 3:

Make a clone of your disk with following command.

C:\Program Files\Oracle\VirtualBox> VBoxManage clonehd "C:\Users\junaid\VirtualBox VMs\UbuntuForEverything\UbuntuForEverything.vdi" "C:\Users\junaid\VirtualBox V
Ms\UbuntuForEverything\Ubuntu25GB.vdi"

0%...10%...20%...30%...40%...50%...60%...70%...80%...90%...100%

So my new clone disk name is Ubuntu25GB.vdi which contains the same data.

Step 4:

Download GParted iso file from here.


Step 5:

5.1)   Go to Settings => Storage => Controller:SATA. and detach existing disk and attach Ubuntu25GB.vdi as a new disk.

5.2) Go to Settings => Storage => Controller:IDE and add a CD/DVD device(GParted.iso downloaded in step 4) as shown below.

 5.3) Go to Settings => System and uncheck the 'Hard disk' option as we want to load the system from iso file of step 5.2. In following picture, this option is selected, you have to deselect it. Click ok and start your machine.

Step 6:

6.1)  You will see following screen. Press Enter

6.2)  Press Enter

6.3)  For language, type 33 for US English and keep pressing Enter until you see following screen.

6.4)  As given in the above picture, I have 8 GB used space and almost 16 GB unallocated space. But if you see two rows in between these two disks, there are sda2 and sda5 disks. It was not allowing me to resize my 8 GB disk, so I deleted these two disks. If you see the similar type screen, first delete the child disk (sda5 here) and then parent one (sda2 here)

6.5)  After the deletion, it should look like this.

6.6)  Select the 8 GB disk and do right click. Select Resize/Move option as shown below.

6.7)  Drag the right side of the box such that it is expanded from

 
to

6.8)  You will see following screen.

6.9)  Don't forget the 'Apply' button. It will take some time to save changes.

Step 7:

Now do the opposite of step 5.2 and 5.3. We want to load from hard-disk under System settings and from Ubuntu25GB under Storage settings.

Once logged into Ubuntu, run Disk Analyzer from settings to confirm the disk size.

Getting facebook user access token in Android

For one of my semester projects, I had to develop an android application which would allow users to login to facebook and then let the application obtain the user access token from the session object. This user access token can be used to obtain/download all the data about you and your friends which  you can access normally through browser. In my case, I had to download profile picture albums of logged in user's friends, so I generated an access token based on my requirements.

I would advise you to go through one step each here and before working on it, read it completely. Sometimes, I can give some troubleshooting before the end of the step which might save some of your time.

Starting from scratch, you have to do following things:

Step 1:

Open Getting Started Guide with the Facebook SDK for Android.

Follow Step-1, Step-2, Step-3.  You don't need to do Step-4 (Run the samples).

When you add link Facebook SDK, you might have to remove 'android-support-v4.jar' from lib folder of your project. It was showing some error because there were two versions (libs + Facebook SDK)

Step 2:

2.1) Follow the step-5 from the link. You can generate a facebook app from here and when it asks to generate a hash key, you can use following command on command prompt on Windows.

>  keytool -exportcert -alias androiddebugkey -keystore %HOMEPATH%\.android\debug.keystore | openssl sha1 -binary | openssl base64

It will ask for password which is "android" without quotes.

2.2) With the created app, go to Basic Settings, click on checkbox saying (Native Android App) and provide the information as given in the sample tutorial.

2.3) You have to deselect sandbox option in the app settings which otherwise restricts app's access to developers only. This is very important if you want other users to use your application.

2.4) You can play with Graph API Explorer to see what kind of permissions you need for your application. And you choose all the permissions for now which you can change later from here again.

3) Follow step-6 as given. You can skip adding code to the MainActivity.java for now.

4)  Copy MainActivity class code from here given in update-1.

In onResume() method, we are printing access token which we can use to access any kind of data permissible by access token. I used this token to download profile pictures which I will explain in another post.

Installing hadoop-1.0.4 on Mac (OS-10.7) for a Single Node

Using the steps given in this post and this excellent guide by Brandon Werner, you can install hadoop-1.0.4 (latest by now) on your mac( iOS-10.7). I will be just adding/modifying some steps (mentioned with the same title) which troubled me to google for those issues. You better follow the other link and when you face some trouble, come back here and see the solution.

  

Getting Java

<same> 

Setting up Environment

 

.bash_profile file was not present under my home directory, so I had to create a new file and edit it. So use following commands to create and modify that file. 

$ touch .bash_profile

$ open -a TextEdit.app .bash_profile

 <rest is same as given in other link>

Downloading Hadoop 

Download 1.0.4.tar.gz file from Apache website and type

$ sudo cp ~/Downloads/hadoop-1.0.4.tar.gz /usr/local/hadoop-1.0.4.tar.gz

$ sudo tar -xvzf hadoop-1.0.4.tar.gz

$ sudo mv ./hadoop-1.0.4 ./hadoop

Configuring: hadoop-env.sh  

Directory name is changed from 'config' to 'conf' in 1.0.4. Rest just follow the steps as given and make a fix for Lion iOS.

Configuring: *-site.xml files  

Remember to open all the files using "sudo vi ..."  and texteditor/root user/sudo chown wont work for this purpose.

 
Setup HDFS for the first time

Make sure 'Remote Login' is enabled in System Preferences->Sharing->Remote Login on your system otherwise you will get an error that Port-22 is closed.

Rest format your HDFS system with the steps given in that link and you better do with #root login.

Startup Hadoop with the Included Scripts

Run start-all.sh script as given. If you see some exception, log in as root and do the following.

# cd /usr/local/hadoop

# bin/stop-all.sh

# bin/hadoop namenode -format

# bin/start-all.sh

If it asks for the password during starting of daemons, given root password.

Rest you can run WordCount example as given in that link.

 Happy hadooping =)

Dynamic analysis of Android APKs using DroidBox

In this tutorial, I will go through installation and usage of dynamic analysis tool (DroidBox) for Android APKs. If you face some problems during installation, you can try a couple of things given in Troubleshooting section.

Step 1: Build Environment

I have installed Ubuntu 12.04 (32 bit) on Oracle VM Virtualbox. And according to Droidbox website, it can only be run on Linux and Mac, but not on Windows. And don't forget to install other dependencies for android SDK and Numpy/Scipy given below.

If you have not installed android SDK, follow the instructions here to get everything installed. Get API level 7 (2.1) installed for this tutorial. My installations are as per the settings (directory locations etc.) given in that link.

Step 2:

Open terminal and export the path for the SDK tools, if you have not followed the link for sdk installation.

export PATH=$PATH:/<path/to/android-sdk>/tools/
export PATH=$PATH:/<path/to/android-sdk>/platform-tools/

Step 3:

Change directory to Downloads and download Droidbox.tar.gz file.

$ cd Downloads
$ wget http://droidbox.googlecode.com/files/DroidBox.tar.gz

Step 4:

If you are using Ubuntu 12.04 (32 bit), you can use following commands otherwise, go to the website and install relevant binaries for Numpy and Scipy.

If git is not installed,

$ sudo apt-get install git

$ git clone git://github.com/numpy/numpy.git numpy

$ git clone git://github.com/scipy/scipy.git scipy

Step 5:

During installation, I got an error like I need to install python-dev, so

$sudo apt-get install python-dev

Now we need to install numpy and scipy.

$ cd /Downloads/numpy
$ python setup.py install --user

Let it run and check at the end that you don't get any error.

$ cd /Downloads/scipy
$ python setup.py install --user

Step 6:

Now install MatPlotLib

$sudo apt-get install python-matplotlib 

Step 7:

Now if you have installed SDK as given in the link, you need to keep a few things in mind.

You need to run eclipse with the root user, not with sudo. And after fresh installation, you wont be knowing root password. So lets first change password first and then login with the root to run eclipse.

$ sudo passwd root

and choose password for root. Now login with root

$ su root

after logging in, 

# cd /usr/local/eclipse
#  ./eclipse

Step 8:

Now create an AVD and if you face some error like

'PANIC: cant load AVD etc' or 'Failed to load libGL.so' etc,

Run following command

# apt-get install libgl1-mesa-dev

Command Line AVD

However, if you want to create an AVD by command line, follow instructions given here.
  
At the end of this step, I assume, you have already created an AVD for API Level 7 with name 'test'. And you dont need to start emulator now.

AVD Location

Here are two things now. If you have created an AVD through Eclipse, AVD will be stored by default under root user because you ran it with the root user. Your created AVD will be at /root/.android/AVD/ .

If you created an AVD with command line and normal user, AVD will be stored under /home/mohsin/.android/AVD/

Step 9: Path Settings

 Now Droidbox website says, you download and extract Droidbox anywhere, but I think, they should clearly talk about path settings in the shell scripts also. This missing information definitely took my hours.

Anyway, open startemu.sh file in Droidbox directory, give path to the emulator like below

/opt/android-sdk-linux/tools/emulator -avd $1 -system images/system.img -ramdisk images/ramdisk.img -kernel images/zImage -prop dalvik.vm.execution-mode=int:portable &


Open droidbox.py and give paths to monkeyrunner and adb so that they finally look like following:

call(['/opt/android-sdk-linux/

tools/monkeyrunner', 'scripts/monkeyrunner.py', apkName, runPackage, runActivity], stderr=PIPE)

call(['/opt/android-sdk-linux/platform-tools/adb', 'logcat', '-c'])

Step 10: 

Now it's party time. Lets run emulator and install APK for analysis. Make sure you are logged in as a root if you have created an avd with the emulator.

./startemu.sh test

It will automatically get path of test.avd.

9)  Get your APK and give it to droidbox for analysis.

./droidbox.sh <file.apk> <duration in secs (optional)> 

e.g.

./droidbox.sh ./HippoSMS.apk 100  

If you give 100 as a parameter, it will analyze for 100 seconds otherwise, you will have to do Ctrl+C to stop it.

Here is the output for one of the samples of HippoSMS malware.

--

--

--

--

Installing Hadoop 1.0.4 on Ubuntu 12.04 (LTS) on Single Node cluster

I have been trying to install Hadoop on Windows using Cygwin but it was not successful because of permissions denied for sshd user. So, I moved on to Ubuntu 12.04 (32 bit) on Oracle VM Virtualbox. 

This whole post is based on installation guide by Michael Noll. So keep opened this post and Noll's installation guide as I will be adding only missing steps given in his post.

Step 1: Sun Java 6

Open a terminal and run following commands to install Sun-java6-dk. Noll's commands didn't work for me.

$ sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu hardy main multiverse"
$ sudo add-apt-repository "deb http://archive.ubuntu.com/ubuntu hardy-updates main multiverse"
$ sudo add-apt-repository "deb http://archive.canonical.com/ lucid partner"
$ sudo add-apt-repository "deb http://ppa.launchpad.net/webupd8team/java/ubuntu precise main"
$ sudo apt-get update
$ sudo apt-get install sun-java5-jdk sun-java6-jdk oracle-java7-installer

And run following command to confirm jdk6 installation

$ java -version

Step 2:

Add a hadoop system user.

Step 3:

 3.1) :

Configure SSH until you reach following command

hduser@ubuntu:~$ ssh localhost

Above given command didn't work on my machine as it was giving me error like port 22 is closed.

So first of all, we need to add hduser into sudoers list and then install openssh-server using terminal.

So,

3.2)

Login with root or any user which can run sudo commands.

3.3)

$ sudo adduser hduser sudo

$ /usr/sbin/visudo

A file will be opened. Find a line with

root ALL= (ALL:ALL) ALL

Copy paste this line after the root and change 'root' with 'hduser' so that now file will contain two lines like below:

root ALL= (ALL:ALL) ALL

hduser ALL= (ALL:ALL) ALL

3.4)

Now install openssh-server preferably using root login.

# sudo apt-get install openssh-server

3.5) 

Login with hduser account and run following command

$ ssh localhost

and enter 'yes' to continue connecting and complete configuration of ssh.

Step 4: Disable IPV6 

Use following command to open .conf file and gedit was not working on my machine.

$ sudo vim /etc/sysctl.conf

Step 5:   

And for rest of the installation, follow the Nolls' tutorial. In the future, when you are asked to edit a file, use 'sudo vim' for all the files.

Rest of the things went smoothly for me, so I think, Noll's tutorial would suffice for complete installation and get hadoop working for a single node cluster.

Happy hadooping =)