Wednesday, February 6, 2008

Facebook passwords?

When logging into facebook your login account name/email address is passed of in login_x, there are the three more variables. One of them is most likely the password. c_user appears to be your facebook user id number. h_user and xs are unknown. I believe one of them is an encrypted version of the password and I don't know about the other.

I made a fake account with these user credentials.

These are the returns

So if you want more info to deal with here is how you capture your own stuff. Open wireshark, and start sniffing. Login to facebook. Once you are done stop sniffing. Right click on your first http packet, probably coming from a 204.x.x.x click follow tcp stream. If you make a fake facebook account to do this, and you feel like sharing please send me the same variable information I have provided here. The c_user and h_user stay the same, the xs is different.

This post would have been more thorough but, work calls, and I just got my eeePC. Bleh. Maybe more tommorrow.

EDIT so I looked at the source and it looks like it's passing some

EDIT login stuff to ssl and there is a shit ton of Javascript

EDIT that I didn't go through, so in closing I would like to say

EDIT that I feel unqualified to talk about this subject.


Will said...

do you have any idea what the ABT= field is for in the firefox version of the login cookie? i get the same login_x= field for the username but the password field seems to be different.. wondering if this could be it

robert said...


User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv: Gecko/20090824 Firefox/3.5.4 FBSMTWB

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive


Cookie: datr=1264105843-59c115600e86eb031abe24434c25415f712bb321ed84676b9ce96; h_user=AAAAAQAQHxG3ykip3hhHc5He_sdrCgAAABDUc93eADreKzOkdYNmGQc-; locale=en_US; lsd=5wc5q; cur_max_lag=2;; c_user=1004961921;; lxs=1; xs=ee29d5575d5db79aaf355b07957520f9

above is my cap of a facebook login i have changed my email address to
if anyone works out the encription please post back

Anonymous said...


I guess xs is the password cuz I heard that the password is encrypted in MD5 ,and MD5 is 32 characters lenth as the xs hash...

Mohssine Ronaldo said...

Mohssine Ronaldo said...