4

In an extraction of com.facebook.katana/Database db files (fb.db and webview.db), I get:

fb.db
If I use an hexadecimal editor to open those files, even when there is no SQLite record named c_user, neither datr, nor lu, etc. at some offset of the file, there are these strings. Could they be the active Facebook session that was open at the last use of the cell phone? How do I know the length of the fields in order to inject the cookies in a web browser and hijack the session?

webview.db
This database does contain a table cookies and some records in it, that are: datr and lu. I tried to inject these two cookies in my web browser but couldn't get logged into my account.

I'm planning to dump all records in a format that can be imported into Firefox's Cookie Manager and see if that works.

The main question would be: Is it possible to use that information the same way one could capture live traffic and extract and then inject cookies sent within the LAN to Facebook servers? If so, what cookies or information I'm missing?

Mark Buffalo
  • 22,508
  • 8
  • 74
  • 91
Martin0x777
  • 141
  • 2
  • I'm using my own cellphone, thus I'm sure that the facebook application has my account open and running on android, at the moment of the databases dump. I know any needed cookie or account info is there. – Martin0x777 Nov 13 '13 at 03:40
  • 1
    Are you sure that none of the needed information is stored in memory? I wouldn't expect everything to be in the local db. One thing that might make this easier is if you have a rooted phone to just download a sqlite browser/editor and you can edit/view the fields directly – KDEx Nov 13 '13 at 04:09
  • In memory card? I'm using both an hex editor and a sqlite browser and that's why I know that even when no records exists with, for example, the string "c_user", the string is indeed in the file. In a live traffic capture I get another cookies that are not in here, such as "fr". – Martin0x777 Nov 13 '13 at 12:33
  • 1
    Hex editor? That's a bit hard-core for me - I'd have used something like http://sqlitebrowser.org – symcbean Mar 18 '16 at 20:50
  • @Martin0x777: Forget the hex editor. There are a lot of reasons why sqlite databases contain strings that you can't see when you query the database, but none of them are relevant for you. Data you can't see in a normal database query is no longer part of the database, even if it's still in the file itself, and if it's no longer part of the database, obviously it's no longer information that either the FB client or the FB server consider valid. – Out of Band Feb 12 '17 at 16:28

1 Answers1

1

Any 'active' login cookie is only valid for that session (see how SSL works).

Your method/concept of extracting an 'active' cookie from the phone and inserting into another session is technically possible but for it to actually work you need to first have a truly active cookie.

Matthew Peters
  • 3,622
  • 4
  • 21
  • 39
  • I don't get it. The second paragraph of your answer makes sense, but what does a cookie have to do with SSL, or the SSL link you provided? – Out of Band Feb 12 '17 at 16:31