Wednesday, 29 April 2015

Privacy leakage vulnerability in facebook - PoC by Shailesh Suthar

Privacy Leakage : Counts of actions of a blocked user can be viewed.

Hello , I am Shailesh Suthar, an independent security researcher. I found a vulnerability using that i was able to view counts of recent updates of a blocked user. Also It was possible to view counts of updates regarding status, photos, games, comments-likes , music-videos and other activities separately!

When we create a new friend list , following POST request is generated :

POST /friends/edit/ajax/save_list/ HTTP/1.1

Then I modified two parameters as below :


Received below response:

for (;;);{"__ar":1,"payload":null,"onload":["goURI(\"\\\/lists\\\/ID_OF__FRIEND_LIST\");"],"bootloadable":{},"ixData":{},"lid":"0"}

Blocked person was added into new friend list name “Dummy”.
And just blocked user was existed in this List.

Even adding a blocked person in a friend list is not a security vulnerability (Still allowed). So I checked page of Friend lists (

A counting number was shown for friend list as pointed in below image!

I reported this to Facebook security team. And it got fixed!
Thanks to Facebook security team for fixing this one.

Report Timeline:
Dec 28, 2014 8:38pm   - Report Sent
Jan 3, 2015 3:01am      - Escalation by Facebook
Jan 15, 2015 2:08am    - Fix Deployed by Facebook

Mar 6, 2015 11:11pm   - Bounty Awarded of  $1000 USD by Facebook :)