Monday 1 February 2016

Information Disclosure in Facebook - PoC by Shailesh Suthar



Hello!

I found a vulnerability in which i was able to disclose following information of Facebook users.

> Full name of User
> Mobile number or Email Address
> Profile Pic

Endpoint :

POST /login/async/known_user_block/?login_id=[MOBILE_NUMBER or EMAIL_ADDRESS] HTTP/1.1
Host: www.facebook.com
Content-Length: 44

__user=0&__a=1&__dyn=x&__req=1&lsd=x&__rev=x

This endpoint was not rate limited!

It was not a normal user enumeration because full name and profile pic were disclosed and also, mobile numbers/email addresses with "only me" privacy were disclosed via this endpoint!

That's all ;)

Actually, Mentioned endpoint was available to just a very small subset of users (only a very small subset of users could use the endpoint) so impact was very low otherwise this might be called a perfect privacy leakage issue!

Because of very limited impact, i got a minimum reward from Facebook.
Thanks to Facebook security team for fixing this one!

Due to this one and one more, I am listed in Facebook Hall of Fame - 2016!

Update : On 10th Feb'16, I got an email from Facebook security team on this ticket that "After further review of this issue, we have decided to increase the reward to $1500 USD total."

I am very thankful to The Facebook Security Team for taking another look of this issue without my request! :-) It's impressive!

Thanks for reading!
  
Twitter : https://twitter.com/shailesh4594

Report Timeline:
============
5 December 2015    - Report Sent
8 December 2015    - Asked for more information by Facebook (Due to abnormal endpoint)
8 December 2015    - More information sent
18 December 2015  - Escalation by Facebook
29 December 2015  - Bounty Awarded of $500 USD by Facebook :) (First Bounty)
8 January 2016       - Fix Deployed by Facebook
10 February 2016    - Bounty Awarded of $1000 USD by Facebook :) (Second Bounty)