Cell phone Session hacking

Wired and wireless telecommunications networks and devices

Cell phone Session hacking

Post by limdis on Fri Apr 06, 2012 9:52 am
([msg=65519]see Cell phone Session hacking[/msg])

I'm still trying to confirm but I'm pretty sure I was just a victim to this. Here is what happened: Within the past 30 hours or so I started to receive notifications of friend acceptance (FB) to friends I didn't request. I mean a LOT of them, and they are still coming in. From what I can tell nothing else was done. Just an annoyance really and I'm not too frustrated. At first I was confused, but then I was impressed. I changed passwords again, obviously, and started digging.

I can't remember if this is automatic now or if I set this up a while back but I get emails of login traffic sent to an email account so I can monitor anyone and where they log in from. What I noticed is that the normal IPs were there and nothing at all seemed out of place. Except for 2 of them. After doing a trace they belonged to sprint cell phones. I have one of those so I didn't think too much about it at first. So I began to play with logging in from my cell.

I got this with the facebook app. "It looks like someone used your Facebook account to log into Facebook for Android (Thursday, April 5, 2012 at 7:37pm)."

This from cell browser. "A new unknown device logged into your Facebook account (Friday, April 6, 2012 at 7:06am) from San Jose, CA, US (IP=66.87.**.**). (Note: This location is based on information from your ISP or wireless provider.)" with a nifty little notification that stated, "An unrecognized device recently attempted to access your account, let us know if it was you." But it's the first time I've seen that before. The IP was in range for my cell that I received in the other two emails.

Taking a look at active sessions I see this shit. "Logged in from ****, **, ** and 5 other locations." I know thought 3 of them I just did. Computer/App/Cell Browser. But then I see this. "If you notice any unfamiliar devices or locations, click 'End Activity' to end the session. This list does not currently include sessions on Facebook's mobile site (m.facebook.com)."

Here are the supposed 5 active sessions:
Code: Select all
Last Accessed:   Today at 10:08am
Location: San Jose, CA, US (Approximate)
Device Type: Unknown
Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; SPH-D710 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 [FBAN/FB4A;FBAV/1.8.2;FBDM/{density=1.5,width=480,height=800};FBLC/en_US;FB_FW/1;FBCR/Sprint;FBPN/com.facebook.katana;FBDV/SPH-D710;FBSV/2.3.6;]


Last Accessed:   Today at 10:06am
Location: San Jose, CA, US (Approximate)
Device Type: Unknown
Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; SPH-D710 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1


Last Accessed:   Today at 1:47am
Location: San Jose, CA, US (Approximate)
Device Type: Unknown
Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; SPH-D710 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 [FBAN/FB4A;FBAV/1.8.2;FBDM/{density=1.5,width=480,height=800};FBLC/en_US;FB_FW/1;FBCR/Sprint;FBPN/com.facebook.katana;FBDV/SPH-D710;FBSV/2.3.6;]


Last Accessed:   Yesterday at 10:37pm
Location: San Jose, CA, US (Approximate)
Device Type: Unknown
Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; SPH-D710 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 [FBAN/FB4A;FBAV/1.8.2;FBDM/{density=1.5,width=480,height=800};FBLC/en_US;FB_FW/1;FBCR/Sprint;FBPN/com.facebook.katana;FBDV/SPH-D710;FBSV/2.3.6;]


Last Accessed: Yesterday at 10:37pm
Location: San Jose, CA, US (Approximate)
Device Type: Unknown
Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; SPH-D710 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1


Session Initiated: Yesterday at 10:37pm
Application Name: Facebook for Android


So I ended them all and started over. I logged in first using the browser on my phone. I got the nifty notification again, but no email and active session did not appear. Next was the app and omg.
Code: Select all
Last Accessed:   Today at 10:41am
Location: San Jose, CA, US (Approximate)
Device Type: Unknown
Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; SPH-D710 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 [FBAN/FB4A;FBAV/1.8.2;FBDM/{density=1.5,width=480,height=800};FBLC/en_US;FB_FW/1;FBCR/Sprint;FBPN/com.facebook.katana;FBDV/SPH-D710;FBSV/2.3.6;]


Last Accessed:   Today at 10:41am
Location: San Jose, CA, US (Approximate)
Device Type: Unknown
Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; SPH-D710 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1 [FBAN/FB4A;FBAV/1.8.2;FBDM/{density=1.5,width=480,height=800};FBLC/en_US;FB_FW/1;FBCR/Sprint;FBPN/com.facebook.katana;FBDV/SPH-D710;FBSV/2.3.6;]


Last Accessed:   Today at 10:40am
Location: San Jose, CA, US (Approximate)
Device Type: Unknown
Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; SPH-D710 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1


Last Accessed: Today at 10:40am
Location: San Jose, CA, US (Approximate)
Device Type: Unknown
Mozilla/5.0 (Linux; U; Android 2.3.6; en-us; SPH-D710 Build/GINGERBREAD) AppleWebKit/533.1 (KHTML, like Gecko) Version/4.0 Mobile Safari/533.1


Wtf...?

Now I'm just confused. I closed both 10:41 sessions to be safe and the app still works. I thought at first I was victim to something in the same family of firesheep. Now I'm not sure if that was the case or my phone is bugged. If you guys/girls are still with me here, part question, part discussion. What the hell is going on? / Session hacking cell phones.

Go.
(and thanks)
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1423
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)


Re: Cell phone Session hacking

Post by LoGiCaL__ on Sat Apr 07, 2012 10:56 pm
([msg=65540]see Re: Cell phone Session hacking[/msg])

Read this and just recently read about a vulnerability in the facebook app. It may shed some light on the situation. If not at the very least it's good to know about.

http://acomputerblog.blogspot.com/2012/04/identity-theft-vulnerability-affects.html

I can't find the original article about it. It was way more detailed and provided PoC's.
User avatar
LoGiCaL__
Addict
Addict
 
Posts: 1063
Joined: Sun May 30, 2010 12:33 pm
Blog: View Blog (0)


Re: Cell phone Session hacking

Post by limdis on Sun Apr 08, 2012 11:02 am
([msg=65546]see Re: Cell phone Session hacking[/msg])

Thanks for the article. I wasn't expecting the app itself to be a such a bucket of fail. I found some more articles and as it turns out with physical access to the phone you can harvest just about any data you want, and its easy enough for a kid to do it.

(I'm rocking an android so I kept my searches to that side)

From the wireless perspective I found this: http://droidsheep.de/?page_id=14
and this: http://faceniff.ponury.net/

Let the experiments begin!
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1423
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)



Return to Telecommunications

Who is online

Users browsing this forum: No registered users and 0 guests