Facebook's bug: they could steal the payment card numbers from the user's account

Whoever promoted his articles to reach more readers, he knows that to settle for advertising or other Facebook services he uses payment cards entered into our account, PayPal accounts or promotional codes, which are automatically charged. Payment by card in the network for services or shopping has many advantages - it is a very safe method and, what is very important, transactions made with the card can be withdrawn under the " chargeback ".

Pranav reported an error which consists in extracting the last 4 characters of the payment card added to the settlement method. First, Facebook assigns a unique 15-digit random number to each added card that is associated with the user's Facebook account. This 15-digit ID number is then used by Facebook to search for payment card data. Unfortunately, the attacker using the technology created by Facebook (GraphQL) could extract such an identifier and obtain the data about the credit card:

  • Last 4 digits;
  • expiration date (month and year);
  • other detailed information saved on the user's card and account;
REQUEST
POST / graphql? Q = node ()
{__typename.
id,
{CREDIT_CARD
credential_id,
card_association,
number,
expire_month,
expire_year,
address {
__typename,
postal_code,
full_address,
single_line_full_address,
street,
city,
country,
postal_code
}
}
mobile_csc_verified,
zip_verified,
web_csc_verified,
method_category,
commerce_payment_eligible,
personal_transfer_eligible,
is_default_receiving
} 

Among the available methods of extracting the ID number, the author mentions:

  • The previous bug that was reported by him last year. Facebook dealt with him, but as it turned out not quite right.
  • Dictionary attack on guessing the identifier (the first digit must be between 0 and 9, the remaining 14 digits may have any arrangement from 0-9, for example, 91000000000002). The author notes that he used his own test accounts to prove the "strength" method. Generating real identifiers would break Facebook's provisions as part of the BugBounty program.
  • Users with administrator privileges who have been granted account management rights could still obtain the ID and extract the card information the same way.

In the presented method, the attacker gets information about the last 4 digits of the card. The remaining 20 digits can be properly generated using the Luhn algorithm , which determines the method of generating payment card numbers.



Learn more about our offer

If you sell security solutions, are a distributor, authorized partner or developer and would like to share your portfolio with a group of potential customers, advertise an event, software, hardware or other services on AVLab - simply write to us. Or maybe you had to deal with ransomware? We can also help you decrypt your files.
Read more

We use Google Cloud Translation and Gengo API’s to translate articles with exception of our comparative tests.