Demistify the Facebook client-side password encryption

Introduction

Some time ago, I developed a private API of instagram to be able to perform some actions I needed. The API was working very well until one day in 2020, when the parameters sent to the server to authenticate changed. Indeed, the password was no longer sent in clear text, but encrypted in this way: #PWD_BROWSER:5:1617376020:AdhQAKb3zEewux6J98xFvie1HjaFRlSTWesGmeAuwW03KpZ1ia4jCMf4jv6ekezoGltbU5QPqbC2alzFutmA7xOQ2M1S1Lkge9qGB94F6rWeWMDqHchFb8uD8MRY9oid0QTZm5nOumSR24lfTaVO29xh2Q==.
It was still possible to authenticate by sending your credentials in clear text, but I asked how the encrypted password was generated. I didn't find anything concrete, so I wanted to search by myself, in order to understand and be able to generate this encrypted password and authenticate myself with it.

Trace analysis

Let's make a connection request with the following identifiers:
email: test@test.com
password: mysuperpassword

In the fields of our POST request, we notice the following field:

encpass="#PWD_BROWSER:5:1617376020:AdhQAKb3zEewux6J98xFvie1HjaFRlSTWesGmeAuwW03KpZ1ia4jCMf4jv6ekezoGltbU5QPqbC2alzFutmA7xOQ2M1S1Lkge9qGB94F6rWeWMDqHchFb8uD8MRY9oid0QTZm5nOumSR24lfTaVO29xh2Q=="

The name of the field is quite explicit, we strongly assume that it is our encrypted password.
At first glance, it looks like the /etc/shadow file format used under Linux or UNIX-like system. Field 5 could be SHA-256. Let's have a look at it.
Since it is necessarily encrypted on the client side, we analyze the trace of our POST request to find the function that encrypts the password.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Fig. 1

And bingo! We notice a function named _encryptBeforeSending !

It's time to open the file on line 36 as shown.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Fig. 2

Let's get this line and display it in a more readable way.

_encryptBeforeSending: High-layer encryption function




































__d("LoginFormController", ["AsyncRequest", "Button", "Cookie", "DOM", "DeferredCookie", "Event", "FBBrowserPasswordEncryption", "FBLogger", "Form", "FormTypeABTester", "LoginServicePasswordEncryptDecryptEventTypedLogger", "WebStorage", "bx", "ge", "goURI", "guid", "promiseDone"], (function(a, b, c, d, e, f) {
    var g, h = {
        init: function(a, c, d, e, f) {
            h._initShared(a, c, d, e, f), h.isCredsManagerEnabled = !1, !f || !f.pubKey ? b("Event").listen(a, "submit", h._sendLoginShared.bind(h)) : b("Event").listen(a, "submit", function(b) {
                b.preventDefault(), h._sendLoginShared.bind(h)(), h._encryptBeforeSending(function() {
                    a.submit()
                })
            })
        },
        ...
        _encryptBeforeSending: function(a) {
            a = a.bind(h);
            var c = h.loginFormParams && h.loginFormParams.pubKey;
            if ((window.crypto || window.msCrypto) && c) {
                var d = b("DOM").scry(h.loginForm, 'input[id="pass"]')[0],
                    e = b("FBBrowserPasswordEncryption"),
                    f = Math.floor(Date.now() / 1e3).toString();
                b("promiseDone")(e.encryptPassword(c.keyId, c.publicKey, d.value, f), function(c) {
                    c = b("DOM").create("input", {
                        type: "hidden",
                        name: "encpass",
                        value: c
                    });
                    h.loginForm.appendChild(c);
                    d.disabled = !0;
                    a()
                }, function(c) {
                    var d = "#PWD_BROWSER",
                        e = 5,
                        g = b("LoginServicePasswordEncryptDecryptEventTypedLogger");
                    new g().setError("BrowserEncryptionFailureInLoginFormControllerWWW").setGrowthFlow("Bluebar/main login WWW").setErrorMessage(c.message).setPasswordTag(d).setPasswordEncryptionVersion(e).setPasswordTimestamp(f).logVital();
                    a()
                })
            } else a()
        },
        ...

Even without necessarily understanding all the variables displayed, it is generally understood that the init function is the entry point (see also Fig. 1) and calls the _encryptBeforeSending(a) function. This parameter passed as an argument is a function that allows to submit the connection form.

Note the function __d.
The function __d is API for RequireJS used to define a Module.
Refered to the RequireJS doc:





//Explicitly defines the "foo/title" module:
define("foo/title", ["my/cart", "my/inventory"], function(cart, inventory) {
        //Define foo/title object in here.
       }
    );

Then call the module as follow:


require("foo/title")

By the way, we strongly assume that the b function refers to the require function.

We then notice in the _encryptBeforeSending function that an input with name: "encpass" is created with the value c, returned by the call to the function e.encryptPassword(c.keyId, c.publicKey, d.value, f). This is the POST field we observed earlier, which contained the encrypted password. This input is well created before the call to a(), which submits the form.
Before going into the code of this function in more detail, we will try to understand where the arguments given to this function come from.

Middle-layer encryption function, call parameters

c.keyId & c.publicKey parameters

Going back to c, we see that this object is created higher as follows:
var c = h.loginFormParams && h.loginFormParams.pubKey;
So now we have to go back to h. We notice quite quickly that h corresponds to the current module, so we will use the firefox console to display it, and see if we can find these keyId and pubKey.

Image Not Showing Possible Reasons

The image file may be corrupted
The server hosting the image is unavailable
The image path is incorrect
The image format is not supported

Learn More →

Fig. 3

Nice, it contains the public key and the identifier of this key.

Object { 
    publicKey: "53d38c45d2b6ff5bb0b843dfef4e060446596a93f970510b5fe615671ef3c457",
    keyId: 216 
}

Note that the public key and the identifier change every day.

d.value & f parameters

For d.value, this is the user's password; and f the timestamp.

We can now look at the contents of the encryptPassword function, called by the FBBrowserPasswordEncryption module.

We find this module in the same file as Fig. 2, and we proceed to the same manipulation.

encryptPassword: Middle-layer encryption function

























__d("FBBrowserPasswordEncryption", ["EnvelopeEncryption", "regeneratorRuntime", "tweetnacl-util"], (function(a, b, c, d, e, f) {
    "use strict";
    f.encryptPassword = a;

    function a(keyID, publicKey, pass, timestamp) {
        var padding, g, passUTF8, timestampUTF8, encryptedPass;
        return b("regeneratorRuntime").async(function(k) {
            while (1) switch (k.prev = k.next) {
                case 0:
                    padding = "#PWD_BROWSER";
                    g = 5;
                    passUTF8_decoded = b("tweetnacl-util").decodeUTF8(pass);
                    timestampUTF8_decoded = b("tweetnacl-util").decodeUTF8(timestamp);
                    k.next = 6;
                    return b("regeneratorRuntime").awrap(b("EnvelopeEncryption").encrypt(keyID, publicKey, passUTF8_decoded, timestampUTF8_decoded));
                case 6:
                    encryptedPass = k.sent;
                    return k.abrupt("return", [padding, g, timestamp, b("tweetnacl-util").encodeBase64(j)].join(":"));
                case 8:
                case "end":
                    return k.stop()
            }
        }, null, this)
    }
}), null);

We find our encryptPassword function in which all the variable names are also letters, but I have manually replaced some variable names in order to see more clearly.

We notice on line 18 that a join function is called on an array containing all the elements of the encrypted password pattern. We find there in the order:

The id #PWD_BROWSER,
The number 5,
The timestamp,
j returned by the case 0, encoded in base64.

The first 3 values are trivial to obtain, what really interests us is this value j, obtained by calling b("EnvelopeEncryption").encrypt(keyID, publicKey, passUTF8_decoded, timestampUTF8_decoded).

This is the 3rd nested "encrypt" function, maybe the last one haha. Let's see what it contains.

encrypt: Low-layer encryption function



























































































__d("EnvelopeEncryption", ["Promise", "regeneratorRuntime", "tweetnacl-sealedbox-js"], (function(a, b, c, d, e, f) {
    "use strict";
    f.encrypt = a;
    var g = window.crypto || window.msCrypto,
        h = 64,
        i = 1,
        j = 1,
        k = 1,
        l = b("tweetnacl-sealedbox-js").overheadLength,
        m = 2,
        n = 32,
        o = 16,
        p = j + k + m + n + l + o;

    function q(a, c) {
        return b("tweetnacl-sealedbox-js").seal(a, c)
    }

    function r(a) {
        var b = [];
        for (var c = 0; c < a.length; c += 2) b.push(parseInt(a.slice(c, c + 2), 16));
        return new Uint8Array(b)
    }

    function a(a, c, d, e) {
        var f, s, t, u, v, w, x;
        return b("regeneratorRuntime").async(function(y) {
            while (1) switch (y.prev = y.next) {
                case 0:
                    f = p + d.length;
                    if (!(c.length != h)) {
                        y.next = 3;
                        break
                    }
                    throw new Error("public key is not a valid hex sting");
                case 3:
                    s = r(c);
                    if (s) {
                        y.next = 6;
                        break
                    }
                    throw new Error("public key is not a valid hex string");
                case 6:
                    t = new Uint8Array(f);
                    u = 0;
                    t[u] = i;
                    u += j;
                    t[u] = a;
                    u += k;
                    v = {
                        name: "AES-GCM",
                        length: n * 8
                    };
                    w = {
                        name: "AES-GCM",
                        iv: new Uint8Array(12),
                        additionalData: e,
                        tagLen: o
                    };
                    x = g.subtle.generateKey(v, !0, ["encrypt", "decrypt"]).then(function(a) {
                        var c = g.subtle.exportKey("raw", a);
                        a = g.subtle.encrypt(w, a, d.buffer);
                        return b("Promise").all([c, a])
                    }).then(function(a) {
                        var b = new Uint8Array(a[0]);
                        b = q(b, s);
                        t[u] = b.length & 255;
                        t[u + 1] = b.length >> 8 & 255;
                        u += m;
                        t.set(b, u);
                        u += n;
                        u += l;
                        if (b.length !== n + l) throw new Error("encrypted key is the wrong length");
                        b = new Uint8Array(a[1]);
                        a = b.slice(-o);
                        b = b.slice(0, -o);
                        t.set(a, u);
                        u += o;
                        t.set(b, u);
                        return t
                    })["catch"](function(a) {
                        throw a
                    });
                    return y.abrupt("return", x);
                case 16:
                case "end":
                    return y.stop()
            }
        }, null, this)
    }
}), null);

This function seems to be the right one, the one that finally generates the encrypted key. We notice towards the end, the call to the generateKey function, so we'll first focus directly on this part of the code:

sublte.generateKey

























x = g.subtle.generateKey(v, !0, ["encrypt", "decrypt"]).then(function(a) {
                        var c = g.subtle.exportKey("raw", a);
                        a = g.subtle.encrypt(w, a, d.buffer);
                        return b("Promise").all([c, a])
                    }).then(function(a) {
                        var b = new Uint8Array(a[0]);
                        b = q(b, s);
                        t[u] = b.length & 255;
                        t[u + 1] = b.length >> 8 & 255;
                        u += m;
                        t.set(b, u);
                        u += n;
                        u += l;
                        if (b.length !== n + l) throw new Error("encrypted key is the wrong length");
                        b = new Uint8Array(a[1]);
                        a = b.slice(-o);
                        b = b.slice(0, -o);
                        t.set(a, u);
                        u += o;
                        t.set(b, u);
                        return t
                    })["catch"](function(a) {
                        throw a
                    });
                    return y.abrupt("return", x);

By inquiring about the generateKey function, we learn that is a method of the SubtleCrypto interface to generate a new key (for symmetric algorithms) or key pair (for public-key algorithms). In our case, the variable g corresponds to window.crypto. This object allows web pages to run various cryptographic operations on the browser side.

Here is the syntax of the generateKey function:
const result = crypto.subtle.generateKey(algorithm, extractable, keyUsages);
with:

algorithm is a dictionary object defining the type of key to generate and providing extra algorithm-specific parameters.
extractable is a Boolean indicating whether it will be possible to export the key using SubtleCrypto.exportKey() or SubtleCrypto.wrapKey().
keyUsages is an Array indicating what can be done with the newly generated key.

In our case, algorithm is v, corresponding to the following object:




v = {
        name: "AES-GCM",
        length: n * 8
    };

length is the length in bits of the key to generate. Here, n is a variable defined above, equal to 32.
So we learn that the generated key will be a symmetrical key, AES-GCM, of 256 bits.
But wait, the format #PWD_BROWSER:5:1617376020:... was leading us into error after all? It's not SHA-256? It looks like it, let's continue

extractable is set to true, and keyUsages indicates that it is possible to encrypt and decrypt with the generated key.

Finally, result is a Promise that fulfills with a CryptoKey (for symmetric algorithms) or a CryptoKeyPair (for public-key algorithms).
For our case, it's a CryptoKey.

Now let's look at the first part of the code, the result of the first Promise:





g.subtle.generateKey(v, !0, ["encrypt", "decrypt"]).then(function(a) {
    var c = g.subtle.exportKey("raw", a);
    a = g.subtle.encrypt(w, a, d.buffer);
    return b("Promise").all([c, a])
})

The freshly generated AES-GCM key is exported in the c variable. It is stored in raw, in an ArrayBuffer.

Then the encrypt function is called. This function has the following signature:
const result = crypto.subtle.encrypt(algorithm, key, data);
In our case, algorithm corresponds to w, which is the next object:






w = {
    name: "AES-GCM",
    iv: new Uint8Array(12),
    additionalData: e,
    tagLen: o
};

iv:
A BufferSource — the initialization vector. This must be unique for every encryption operation carried out with a given key.
additionalData:
A BufferSource. This contains additional data that will not be encrypted but will be authenticated along with the encrypted data. If additionalData is given here then the same data must be given in the corresponding call to decrypt(): if the data given to the decrypt() call does not match the original data, the decryption will throw an exception. This gives you a way to authenticate associated data without having to encrypt it.

key is the a CryptoKey generated

d.buffer, corresponds to the buffer of the Uint8Array which contains our password in clear text.

The function returns in the variable a a Promise that fulfills with an ArrayBuffer containing the "ciphertext". The size of the cipher is equal to the size of the password plus 16 bytes.

Now that we have seen the result of this first Promise, let us look at the result of the second:


















.then(function(a) {
        var b = new Uint8Array(a[0]);
        b = q(b, s);
        t[u] = b.length & 255;
        t[u + 1] = b.length >> 8 & 255;
        u += m;
        t.set(b, u);
        u += n;
        u += l;
        if (b.length !== n + l) throw new Error("encrypted key is the wrong length");
        b = new Uint8Array(a[1]);
        a = b.slice(-o);
        b = b.slice(0, -o);
        t.set(a, u);
        u += o;
        t.set(b, u);
        return t
    })

As we saw before, we know that the argument a corresponds to an array [AES_Key_buffer, CipherText_buffer].

For the rest of the variables, you just have to look above to make the correspondences. I put the code back after making the variable names more understandable:


















then(function(a) {
        var aes_key = new Uint8Array(a[0]);
        aes_key_encrypted = b("tweetnacl-sealedbox-js").seal(aes_key, publicKey_uint8array);
        key[u] = aes_key_encrypted.length & 255;
        key[u + 1] = aes_key_encrypted.length >> 8 & 255;
        u += m; // u = 4
        key.set(aes_key_encrypted, u);
        u += n ; // u = 36  (n=32)
        u += l; // u = 84 (l=48)
        if (aes_key_encrypted.length !== n + l) throw new Error("encrypted key is the wrong length");
        cipher = new Uint8Array(a[1]);
        cipher_rigth_part = cipher.slice(-o);
        cipher_left_part = cipher.slice(0, -o);
        key.set(cipher_rigth_part, u);
        u += o; // u = 100
        key.set(cipher_left_part, u);
        return key
    })

b("tweetnacl-sealedbox-js").seal(buffer, publicKey); is used to encrypt the buffer using the public key provided.
Here, the encryption key aes_key is encrypted using the public key given in parameter. The size of the encrypted buffer is equal to the size of the buffer + 48 bytes of overhead. Here the AES key is 256 bits, or 32 bytes; the size of the encrypted aes key will therefore be 48+32=100 bytes.

key is a Uint8Array defined above as follows:




















var h = 64,
    i = 1,
    j = 1,
    k = 1,
    l = b("tweetnacl-sealedbox-js").overheadLength, // always 48
    m = 2,
    n = 32,
    o = 16,
    p = j + k + m + n + l + o; // = 100
...
case 0:
        f = p + pass.length; // = 100 + pass.length
...
 case 6:
        key = new Uint8Array(f); // key.length = 100 + pass.length
        u = 0;
        key[u] = i;
        u += j;
        key[u] = keyID;
        u += k;

Note that the first values of the key are always fixed by constants.
key[0]=1
key[1]=keyID
key[2]=aes_key_encrypted.length & 255 = 80
key[3]=aes_key_encrypted.length>>8 & 255 = 0

Then,


key.set(aes_key_encrypted, u); // u == 4

We store in the key at index u, the value of the encrypted aes key. We suspect that Facebook has the private key to decrypt this key.

Finally, the last interesting part:








// o = 16
cipher = new Uint8Array(a[1]);
cipher_rigth_part = cipher.slice(-o);
cipher_left_part = cipher.slice(0, -o);
key.set(cipher_rigth_part, u);
u += o; // u = 100
key.set(cipher_left_part, u);
return key

The cipher is split from the 16 end bytes.
The two parts of the cipher are inverted and added to the key.

Resume

The key is finally complete and valid. Here is a short summary of the contents of the key:

Fig. 4

The key is generated, but a small detail is missing. Indeed, remember, this key is then encoded in base 64.

Let's go back to the previous function:










case 0:
    padding = "#PWD_BROWSER";
    g = 5;
    passUTF8_decoded = b("tweetnacl-util").decodeUTF8(pass);
    timestampUTF8_decoded = b("tweetnacl-util").decodeUTF8(timestamp);
    k.next = 6;
    return b("regeneratorRuntime").awrap(b("EnvelopeEncryption").encrypt(keyID, publicKey, passUTF8_decoded, timestampUTF8_decoded));
case 6:
    encryptedPass = k.sent;
    return k.abrupt("return", [padding, g, timestamp, b("tweetnacl-util").encodeBase64(j)].join(":"));

A simple call to b("tweetnacl-util").encodeBase64(j) on our freshly generated key, and we have our base64 key.
We join the whole thing and we have a complete and valid key, ready to send to the Facebook server.

asteria2

2023/11/29 08:36:22

Hi! I read your article. You're cool that you found all this and put it on the shelves. According to your article, I have already found the public key and its ID. But I still don't understand how to connect all this in order to properly encrypt the password in the end. In general, I need your help. Write to me in a telegram, please, if you are interested: I will pay you for your help in this matter: https://t.me/avtostopshik All this also applies to Facebook.

Demistify the Facebook client-side password encryption

Introduction

Trace analysis

_encryptBeforeSending: High-layer encryption function

Middle-layer encryption function, call parameters

c.keyId & c.publicKey parameters

d.value & f parameters

encryptPassword: Middle-layer encryption function

encrypt: Low-layer encryption function

sublte.generateKey

Resume

Read more

Write-Up - DGHack - 2020 - Jobboard

Write-Up - DGHack - 2020 - Walter's Blog

Write-Up - DGSE/ESIEE - 2020 - ASCII UART

Write-up - DGSE/ESIEE - 2020 - KeyPad Sniffer