Wednesday, February 6, 2008

Facebook passwords?

When logging into facebook your login account name/email address is passed of in login_x, there are the three more variables. One of them is most likely the password. c_user appears to be your facebook user id number. h_user and xs are unknown. I believe one of them is an encrypted version of the password and I don't know about the other.

I made a fake account with these user credentials.
login:bsdpunk@gmail.com
Password:Mosssalad

These are the returns
login_x=bsdpunk%40gmail.com
c_user=1089782116
h_user=9856f1ae07ca
xs=d771ba051a12a4ad7c5f898d71a1482a

So if you want more info to deal with here is how you capture your own stuff. Open wireshark, and start sniffing. Login to facebook. Once you are done stop sniffing. Right click on your first http packet, probably coming from a 204.x.x.x click follow tcp stream. If you make a fake facebook account to do this, and you feel like sharing please send me the same variable information I have provided here. The c_user and h_user stay the same, the xs is different.


This post would have been more thorough but, work calls, and I just got my eeePC. Bleh. Maybe more tommorrow.


EDIT so I looked at the source and it looks like it's passing some

EDIT login stuff to ssl and there is a shit ton of Javascript

EDIT that I didn't go through, so in closing I would like to say

EDIT that I feel unqualified to talk about this subject.

5 comments:

William Najar said...

do you have any idea what the ABT= field is for in the firefox version of the login cookie? i get the same login_x= field for the username but the password field seems to be different.. wondering if this could be it

Unknown said...

Host: www.facebook.com

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.3) Gecko/20090824 Firefox/3.5.4 FBSMTWB

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8

Accept-Language: en-us,en;q=0.5

Accept-Encoding: gzip,deflate

Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7

Keep-Alive: 300

Connection: keep-alive

Referer: http://www.facebook.com/index.php?lh=0388e12a43cd8d8ef6ece08c5c8d6975&

Cookie: datr=1264105843-59c115600e86eb031abe24434c25415f712bb321ed84676b9ce96; h_user=AAAAAQAQHxG3ykip3hhHc5He_sdrCgAAABDUc93eADreKzOkdYNmGQc-; locale=en_US; lsd=5wc5q; cur_max_lag=2; x-referer=http%3A%2F%2Fwww.facebook.com%2Finbox%2F%3Fref%3Dmb%23%2Fhome.php; c_user=1004961921; lxe=user%40domain.com; lxs=1; xs=ee29d5575d5db79aaf355b07957520f9

above is my cap of a facebook login i have changed my email address to user@domain.com
if anyone works out the encription please post back

Anonymous said...

c_user=1089782116
h_user=9856f1ae07ca
xs=d771ba051a12a4ad7c5f898d71a1482a

I guess xs is the password cuz I heard that the password is encrypted in MD5 ,and MD5 is 32 characters lenth as the xs hash...

Unknown said...

un1lock.blogspot.com

Unknown said...

un1lock.blogspot.com