tag:blogger.com,1999:blog-36491254499472760392024-03-13T03:47:16.554-07:00Shailesh Suthar's BlogAn independent security researcher!shailesh sutharhttp://www.blogger.com/profile/10357106566894248676noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-3649125449947276039.post-28258395102923467422016-12-06T00:54:00.000-08:002016-12-06T08:53:49.931-08:00Bruteforce to disable a feature in parse.com<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">Hello,</span></span><br />
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://twitter.com/shailesh4594" target="_blank">Shailesh</a> here!</span></span><br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>Endpoint :</b> Checking existence of a particular user(by email address) before adding him as a collaborator! (https://parse.com/apps/{APP_NAME}/collaborations/validate?email=test@example.com)</span></span><br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>Vulnerable parameter :</b> email </span></span><br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>Vulnerable URI portion : </b>APP_NAME</span></span> <br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>Normal brute force : </b> An attacker could fire a simple bruteforce of 200 requests and a payload for email parameter on mentioned endpoint for victim's app to make this feature of adding users disable for victim. </span></span><br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">Ex.,</span></span><br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">https://parse.com/apps/<i>VICTIM_APP</i>/collaborations/validate?email=test@example.com</span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">There was no <a href="https://en.wikipedia.org/wiki/Access_control_list" target="_blank">ACLs </a>on this endpoint so an attacker could use victim's app name at this endpoint. And parse had a bruteforce protection which was based on app name instead of IP address. So because of these two weakness, an attacker could disable this particular feature for a long while by repeating bruteforce attack! In result, victim was not able to add any more collaborator in his app.</span></span><br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><b>CSRF : </b>there was no CSRF protection on this endpoint. In case of existence of <a href="https://en.wikipedia.org/wiki/Access_control_list" target="_blank">ACLs</a>, An attacker could disable the feature using CSRF as well. ;) <br /><br />In short, there was following 4 issues at this endpoint : <br /><br />1) Disabling feature remotely : Lack of ACLs and proper rate limiting. <br /> </span></span><br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">2) Disabling feature via CSRF : Lack of verification of anti-csrf token.</span></span> <br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">3) Session issue : No authentication was required. (Perhaps, Excluded)</span></span><br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">4) User/Email enumeration : Guessing existed email addresses. (Excluded)<br /><br /><br />Parse has fixed these issues by adding ACLs, anti-csrf token and session verification so now, an attacker can't use victim's app at this endpoint. <br /><br />Thanks to Facebook security team for fixing this one and rewarding me </span></span><br />
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">Thank you for reading! :)</span></span><br />
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span>
<br />
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">Report Timeline:</span></span></div>
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">
</span></span>
<br />
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">============</span></span></div>
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">
</span></span>
<br />
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">6 August 2015 - Report Sent as User enumeration</span></span></div>
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">7 August 2015 - Added for information about disabling a feature</span></span></div>
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">8 August 2015 - Asked for more information by Facebook (About testing of disabling feature) </span></span></div>
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">
</span></span>
<br />
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">
8 August 2015 - More clear information sent + Informed about CSRF issue </span></span></div>
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">
</span></span>
<br />
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">12 August 2015 - Escalation by Facebook
</span></span></div>
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">6 January 2016 - Finally, Fix Deployed by Facebook :D</span></span></div>
<div style="text-align: left;">
<span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">9 January 2016 - A Bounty Awarded of <b>$1500</b> USD by Facebook :)</span><span style="font-family: "trebuchet ms" , sans-serif;"></span></span></span></div>
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><i>PS : Sorry for the late writeup! ;p <span style="font-family: "trebuchet ms" , sans-serif;"> </span></i></span></span><br />
<br />
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><i><span style="font-family: "trebuchet ms" , sans-serif;">Join on Twitter : <a href="https://twitter.com/shailesh4594" target="_blank"><span style="font-family: "trebuchet ms" , sans-serif;">https://twitter.com/shailesh4594</span></a></span> </i></span></span><br />
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span>
<span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><br /></span></span></div>
shailesh sutharhttp://www.blogger.com/profile/10357106566894248676noreply@blogger.com0tag:blogger.com,1999:blog-3649125449947276039.post-11311599153046561902016-06-29T05:58:00.000-07:002016-06-29T06:03:33.851-07:005 IDORs in translate.google.com<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "trebuchet ms" , sans-serif;">Hello,</span><br />
<br />
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://twitter.com/shailesh4594" target="_blank">Shailesh</a> here! </span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;">There is a module named "<a href="https://translate.google.com/toolkit?hl=en" target="_blank">Translation Toolkit</a>" in https://translate.google.com and i found that a sub-module named "<a href="https://translate.google.com/toolkit/list#tms" target="_blank">Translation Memories</a>" was fully vulnerable to IDOR vulnerabilities!</span></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">I found 5 IDORs in <a href="https://translate.google.com/toolkit/list#tms" target="_blank">Translation Memories.</a></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> </span><br />
<div style="text-align: left;">
<b><u><span style="font-family: "trebuchet ms" , sans-serif;">1. IDOR to <span style="font-family: "trebuchet ms" , sans-serif;">c</span>hange name of victim's Translation Memory :</span></u><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></b></div>
<span style="font-family: "trebuchet ms" , sans-serif;">An attacker </span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;">was able to </span>change name of victim's translation memory because there was lack of proper <a href="https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwiIwM7H0szNAhWFsY8KHURhDOkQFggdMAE&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FAccess_control_list&usg=AFQjCNFKNRyDnCx4CEKaN_hurgcO1Ill2w&sig2=LWw2uZjusrfGZRwemB0LRg&bvm=bv.125801520,d.c2I" target="_blank">ACLs</a> at this endpoint.</span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">HTTP Request :</span><br />
<blockquote class="tr_bq">
<span style="font-family: "trebuchet ms" , sans-serif;">POST /toolkit/utmname?hl=en HTTP/1.1<br />Host: translate.google.com</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">..</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">security_token=AKrFfvIvi97LGuNHa3w_vpTZyWwPszzm5g%3A1467183119818&tmid=8a73972848d860ed&tmname=renamed_by_attacker</span></blockquote>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<u><b><span style="font-family: "trebuchet ms" , sans-serif;">2. IDOR to search from victim's Translation Memory :</span></b></u><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">An attacker </span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;">was able to </span>search from victim's translation memory because there was lack of proper <a href="https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwiIwM7H0szNAhWFsY8KHURhDOkQFggdMAE&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FAccess_control_list&usg=AFQjCNFKNRyDnCx4CEKaN_hurgcO1Ill2w&sig2=LWw2uZjusrfGZRwemB0LRg&bvm=bv.125801520,d.c2I" target="_blank">ACLs</a> at this endpoint<span style="font-family: "trebuchet ms" , sans-serif;"> too</span>.</span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">HTTP Request : </span><br />
<blockquote class="tr_bq">
<span style="font-family: "trebuchet ms" , sans-serif;">POST /toolkit/gettm HTTP/1.1</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> Host: translate.google.com</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> ...</span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"> hl=en&src=a&sl=en&tl=sq&tmids=1e0cd01b8a7bde44&thld=0&mofmt=true</span></blockquote>
<br />
<u><b><span style="font-family: "trebuchet ms" , sans-serif;">3. IDOR to replace or add .tmx file into victim's Translation Memory : </span></b></u><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"> </span>You may find something about .tmx file from </span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://en.wikipedia.org/wiki/Translation_Memory_eXchange" target="_blank"><span style="font-family: "trebuchet ms" , sans-serif;">H</span>ere</a>.</span></span> <span style="font-family: "trebuchet ms" , sans-serif;">I</span> used <span style="font-family: "trebuchet ms" , sans-serif;">such .tmx file</span> to add some data into victim's Translation Memory. I </span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;">was able to </span>replace or combine .tmx data into victim's translation memory because of lack of proper </span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwiIwM7H0szNAhWFsY8KHURhDOkQFggdMAE&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FAccess_control_list&usg=AFQjCNFKNRyDnCx4CEKaN_hurgcO1Ill2w&sig2=LWw2uZjusrfGZRwemB0LRg&bvm=bv.125801520,d.c2I" target="_blank">ACLs</a></span> on uploading .tmx file into a Translation Memory.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">HTTP Request : </span><br />
<blockquote class="tr_bq">
<span style="font-family: "trebuchet ms" , sans-serif;">POST /toolkit/tmappend?hl=en HTTP/1.1</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> Host: translate.google.com</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> ..</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> ------WebKitFormBoundarymGTgNNHKz4FAMIdY</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> Content-Disposition: form-data; name="security_token"</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> AKrFfvKLf60q11l-TlCENLERqMD0KI9LAA:1447909448118</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> ------WebKitFormBoundarymGTgNNHKz4FAMIdY</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> Content-Disposition: form-data; name="tmid"</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> 07a132fa949ac969</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> ------WebKitFormBoundarymGTgNNHKz4FAMIdY</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> Content-Disposition: form-data; name="tloc"; filename="my_memory (1).tmx"</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> Content-Type: application/octet-stream</span><a href="https://www.blogger.com/blogger.g?blogID=3649125449947276039" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-left: 1em;"></a><span style="font-family: "trebuchet ms" , sans-serif;"><br /></span></blockquote>
<blockquote class="tr_bq">
<span style="font-family: "trebuchet ms" , sans-serif;"><i><XML>...</i><br /> ------WebKitFormBoundarymGTgNNHKz4FAMIdY--</span></blockquote>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><u><b>4. IDOR to delete victim's Translation Memory : </b></u><br /><br />Yeah!! Also, <span style="font-family: "trebuchet ms" , sans-serif;">T</span>here was no </span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwiIwM7H0szNAhWFsY8KHURhDOkQFggdMAE&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FAccess_control_list&usg=AFQjCNFKNRyDnCx4CEKaN_hurgcO1Ill2w&sig2=LWw2uZjusrfGZRwemB0LRg&bvm=bv.125801520,d.c2I" target="_blank">ACLs</a> </span>at this endpoint. So an attacker </span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;">was able to </span>delete victim's translation memory using a simple IDOR mechanism.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">HTTP Request : </span><br />
<blockquote class="tr_bq">
<span style="font-family: "trebuchet ms" , sans-serif;">POST /toolkit/deletetm HTTP/1.1</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">Host: translate.google.com</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">..</span></blockquote>
<blockquote>
<span style="font-family: "trebuchet ms" , sans-serif;">hl=en&tmids=850b211b36c39a1e&security_token=AKrFfvKaPs2JVm4aGg8xLSyE_-o1RMc-Uw%3A1467184220688 </span></blockquote>
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<u><b><span style="font-family: "trebuchet ms" , sans-serif;">5. IDOR to takeover victim's Translation Memory :</span></b></u><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">There was no </span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://www.google.co.in/url?sa=t&rct=j&q=&esrc=s&source=web&cd=2&cad=rja&uact=8&ved=0ahUKEwiIwM7H0szNAhWFsY8KHURhDOkQFggdMAE&url=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FAccess_control_list&usg=AFQjCNFKNRyDnCx4CEKaN_hurgcO1Ill2w&sig2=LWw2uZjusrfGZRwemB0LRg&bvm=bv.125801520,d.c2I" target="_blank">ACLs</a></span> on sharing a Translation Memory with an user. So an attacker was able to share victim's Translation Memory with <span style="font-family: "trebuchet ms" , sans-serif;">hi<span style="font-family: "trebuchet ms" , sans-serif;">m</span>self</span> to be an owner of that particu<span style="font-family: "trebuchet ms" , sans-serif;">lar</span> Translation Memory.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><br /></span>
<span style="font-family: "trebuchet ms" , sans-serif;">HTTP Request : </span><br />
<blockquote class="tr_bq">
<span style="font-family: "trebuchet ms" , sans-serif;">POST /toolkit/utminfo HTTP/1.1</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> Host: translate.google.com</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> Connection: keep-alive</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> Content-Length: 396</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"> ...</span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"> </span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">
hl=en&tmid=1e0cd01b8a7bde44&acl=[{"access":7,"me":true,"email":"victim.dummy.4594@gmail.com"},{"access":7,"email":"attacker.dummy.4594@gmail.com"},{"email":"@gmail.com","access":7,"caa":false,"new":true}]&ntfy=true&copy=false&security_token=xxxxxx:144786375312</span></blockquote>
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">In short, i </span><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;">was able to </span>modify victim's Translation Memory.</span><br />
<span style="font-family: "trebuchet ms" , sans-serif;">For all requests, <b>tmid(s) </b>was a vulnerable parameter! </span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">That's all ;) </span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">Due to low-sensitive data leakage, i received a combined bounty of <b>$3133.7</b> from<span style="font-family: "trebuchet ms" , sans-serif;"> </span>Google.</span><br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs-gRV8hWGvhMWYpoZQpWqa0HSTM6TLBHB4mZTIt61a0YRjI0VDuifI9GDFS6OYwnek24TE_6DaCoY8vHCJNK8Hy4FQTMu3YhxHu68exQmAU-SY5iGq6X8_vtCRWUoklCiQHYtzI3KvWU/s1600/Capture.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjs-gRV8hWGvhMWYpoZQpWqa0HSTM6TLBHB4mZTIt61a0YRjI0VDuifI9GDFS6OYwnek24TE_6DaCoY8vHCJNK8Hy4FQTMu3YhxHu68exQmAU-SY5iGq6X8_vtCRWUoklCiQHYtzI3KvWU/s400/Capture.JPG" width="400" /></a></span></div>
<br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">Thank you for reading! :-)</span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">-<a href="https://twitter.com/shailesh4594" target="_blank">Shailesh Suthar</a> </span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"> </span><br />
<div class="s3gt_translate_tooltip" id="s3gt_translate_tooltip" is_bottom="true" is_mini="true" style="left: 1px; opacity: 0; position: absolute; top: 214px;">
<div class="s3gt_translate_tooltip_mini" id="s3gt_translate_tooltip_mini_logo" title="Translate selected text">
</div>
<div class="s3gt_translate_tooltip_mini" id="s3gt_translate_tooltip_mini_sound" title="Play" title_play="Play" title_stop="Stop">
</div>
<div class="s3gt_translate_tooltip_mini" id="s3gt_translate_tooltip_mini_copy" title="Copy text to Clipboard">
</div>
<link href="chrome://s3gt/skin/s3gt_tooltip.css" rel="stylesheet" type="text/css"></link></div>
<div class="s3gt_translate_tooltip" id="s3gt_translate_tooltip" is_mini="true" style="left: 135px; position: absolute; top: 421px;">
<div class="s3gt_translate_tooltip_mini" id="s3gt_translate_tooltip_mini_logo" title="Translate selected text">
</div>
<div class="s3gt_translate_tooltip_mini" id="s3gt_translate_tooltip_mini_sound" title="Play" title_play="Play" title_stop="Stop">
</div>
<div class="s3gt_translate_tooltip_mini" id="s3gt_translate_tooltip_mini_copy" title="Copy text to Clipboard">
</div>
<link href="chrome://s3gt/skin/s3gt_tooltip.css" rel="stylesheet" type="text/css"></link></div>
</div>
shailesh sutharhttp://www.blogger.com/profile/10357106566894248676noreply@blogger.com1tag:blogger.com,1999:blog-3649125449947276039.post-77654122100664011552016-02-01T06:37:00.001-08:002016-02-10T00:21:16.425-08:00Information Disclosure in Facebook - PoC by Shailesh Suthar<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span>
<br />
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Hello!</span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">I found a vulnerability in which i was able to disclose following information of Facebook users.</span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">> Full name of User</span></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">> Mobile number or Email Address</span></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">> Profile Pic</span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Endpoint : </span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><i><span style="font-size: small;">POST /login/async/known_user_block/?login_id=[MOBILE_NUMBER or EMAIL_ADDRESS] HTTP/1.1</span></i></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><i><span style="font-size: small;">Host: www.facebook.com</span></i></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><i><span style="font-size: small;">Content-Length: 44</span></i></span><br />
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><i><span style="font-size: small;">__user=0&__a=1&__dyn=x&__req=1&lsd=x&__rev=x</span></i></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">This endpoint was not rate limited!</span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">It was not a normal user enumeration because full name and profile pic were disclosed and also, mobile numbers/email addresses with "only me" privacy were disclosed via this endpoint!</span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">That's all ;)</span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Actually, Mentioned endpoint was available to just a very small subset of users (only a very small subset of users could use the endpoint) so impact was very low otherwise this might be called a perfect privacy leakage issue!</span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<strike><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Because of very limited impact, i got a minimum reward from Facebook.</span></span></strike><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Thanks to Facebook security team for fixing this one!</span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">Due to </span>this one and one more, I am listed in Facebook Hall of Fame - 2016!</span></span></div>
<div style="text-align: left;">
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><b>Update :</b> On 10th Feb'16, I got an email from Facebook security team on this ticket that "After further review of this issue, we have decided to increase the reward to <b>$1500 USD </b>total."</span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;">I am very thankful to The Facebook Security Team for taking <span style="font-family: "trebuchet ms" , sans-serif;">another look</span> of this issue without my request! :-) It's impressive!</span><br />
<br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Thanks for reading!</span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"> </span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Twitter : <a href="https://twitter.com/shailesh4594" target="_blank"><span style="font-family: "trebuchet ms" , sans-serif;">https://twitter.com/shailesh4594</span></a></span></span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">Report Timeline:</span></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">============</span></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">5 December 2015 - Report Sent</span></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">8 December 2015 - Asked for more information by Facebook (Due to abnormal endpoint)</span></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">8 December 2015 - More information sent</span></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">18 December 2015 - Escalation by Facebook</span></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">29 December 2015 - Bounty Awarded of <b>$500</b> USD by Facebook :) (First <span style="font-family: "trebuchet ms" , sans-serif;">B</span>ounty)</span></span></div>
<div style="text-align: left;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;">8 January 201<span style="font-family: "trebuchet ms" , sans-serif;">6</span> - Fix Deployed by Faceboo<span style="font-family: "trebuchet ms" , sans-serif;">k</span></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;">10</span> <span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-family: "trebuchet ms" , sans-serif;">February</span></span> 201<span style="font-family: "trebuchet ms" , sans-serif;">6</span> - Bounty Awarded of <b>$<span style="font-family: "trebuchet ms" , sans-serif;">10</span>00</b> USD by Facebook :) <span style="font-family: "trebuchet ms" , sans-serif;">(Second Bou<span style="font-family: "trebuchet ms" , sans-serif;">nty</span>)</span></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "trebuchet ms" , sans-serif;"> </span> </span></span></div>
</div>
shailesh sutharhttp://www.blogger.com/profile/10357106566894248676noreply@blogger.com14tag:blogger.com,1999:blog-3649125449947276039.post-81506671047978179852015-04-29T10:31:00.000-07:002016-06-28T23:37:57.646-07:00Privacy leakage vulnerability in facebook - PoC by Shailesh Suthar<div dir="ltr" style="text-align: left;" trbidi="on">
<!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves>false</w:TrackMoves>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>EN-US</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="true"
DefSemiHidden="true" DefQFormat="false" DefPriority="99"
LatentStyleCount="267">
<w:LsdException Locked="false" Priority="0" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" Priority="39" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" Name="toc 9"/>
<w:LsdException Locked="false" Priority="35" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" Priority="10" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" Priority="1" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" Priority="11" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" Priority="22" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" Priority="59" SemiHidden="false"
UnhideWhenUsed="false" Name="Table Grid"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" UnhideWhenUsed="false" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" SemiHidden="false"
UnhideWhenUsed="false" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" SemiHidden="false"
UnhideWhenUsed="false" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" SemiHidden="false"
UnhideWhenUsed="false" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" SemiHidden="false"
UnhideWhenUsed="false" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" SemiHidden="false"
UnhideWhenUsed="false" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" SemiHidden="false"
UnhideWhenUsed="false" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" QFormat="true" Name="TOC Heading"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0in 5.4pt 0in 5.4pt;
mso-para-margin-top:0in;
mso-para-margin-right:0in;
mso-para-margin-bottom:10.0pt;
mso-para-margin-left:0in;
line-height:115%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;">Privacy <span style="font-family: "verdana" , sans-serif;">L</span>eakage : Counts of action<span style="font-family: "verdana" , sans-serif;">s</span> of a blocked user can be viewed.<br />
<br />
Hello , I am Shailesh Suthar, an independent security researcher. I found a <span style="font-family: "verdana" , sans-serif;">vulnerability using that<span style="font-family: "verdana" , sans-serif;"> i was</span></span> able to view counts of recent updates
of a blocked user. Also I<span style="font-family: "verdana" , sans-serif;">t</span> was <span style="font-family: "verdana" , sans-serif;">possible </span>to view counts of updates<span style="font-family: "verdana" , sans-serif;"> </span>regarding status,
photos, games, comments-likes , music-videos and other activities separately!<br />
<br />
P<span style="font-family: "verdana" , sans-serif;">o</span>C: </span></span></span></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;">When we
create a new friend list , following POST request is <span style="font-family: "verdana" , sans-serif;">generated</span> : <br />
<br />
POST /friends/edit/ajax/save_list/ HTTP/1.1</span></span></span></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;">Host:
www.facebook.com</span></span></span></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;"><span style="font-family: "verdana" , sans-serif;">...</span></span></span></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;"><span style="font-family: "verdana" , sans-serif;"> </span><br style="mso-special-character: line-break;" />
</span></span></span></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;">fb_dtsg=AQHtqbvxxxxx&<span style="color: red;">listname=NAME_OF_LIST&members[0]=PROFILE_ID_OF_USER</span>&text_members[0]=NAME_OF_USER&__user=100002309650515&__a=1&__dyn=xxxxxEyl2lm9o-t2u5bHaEWCueyrhEK4xxxxxxxxxxxCqrZo8popyui9DBwIhEyfyUnwPUS2O4K5e8xxxxxxxxxxxx&__req=d3&ttstamp=2658172116113981185356757249&__rev=1711798<br style="mso-special-character: line-break;" />
</span></span></span></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;"><br style="mso-special-character: line-break;" />
</span></span></span></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br style="mso-special-character: line-break;" /></span></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;">Then I m<span style="font-family: "verdana" , sans-serif;">odified two parameters as below</span> :<br />
<br />
<span style="mso-tab-count: 1;"> </span>listname=Dummy<br />
<span style="mso-tab-count: 1;"> </span>members[0]=PROFILE_ID_OF_BLOCKED_USER<br />
<br /><span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">Received <span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">below response: </span></span></span></span></span></span></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;"><br />
for
(;;);{"__ar":1,"payload":null,"onload":["goURI(\"\\\/lists\\\/ID_OF__FRIEND_LIST\");"],"bootloadable":{},"ixData":{},"lid":"0"}<br />
<br />
Blocked person was added into new friend list name “Dummy”.</span><span style="line-height: 115%;"> And <span style="font-family: "verdana" , sans-serif;">just blo<span style="font-family: "verdana" , sans-serif;">cked user was existe<span style="font-family: "verdana" , sans-serif;">d in th<span style="font-family: "verdana" , sans-serif;">is List.</span></span></span></span><br />
<br />
Even adding a blocked person in a friend list is not a security vulnerability (Still
allowed). So I checked page of Friend lists (https://www.facebook.com/bookmarks/lists)<br /> </span></span></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;"><span style="font-family: "verdana" , sans-serif;">A counting <span style="font-family: "verdana" , sans-serif;">number</span></span> was shown for friend list as pointed in <span style="font-family: "verdana" , sans-serif;"><span style="font-family: "verdana" , sans-serif;">below image</span></span>!</span><span style="line-height: 115%;"><br />
<br />
<br />
<br />
</span></span></span></span></div>
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;"><br style="mso-special-character: line-break;" />
</span></span></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzj0uCtx60N_VjUP7yVA7uRgTU8qXNo-1ENOELOmm8aJXnMjm7bxFdpF5JNw7JYGnLgxt4SuKyw_z55PuvbpXSDUPiYc7WxEtfQBxiFAcdQHTi5DNlwWTUiSivyYEWpepKSlGD2KsR_Fk/s1600/POC.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="215" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgzj0uCtx60N_VjUP7yVA7uRgTU8qXNo-1ENOELOmm8aJXnMjm7bxFdpF5JNw7JYGnLgxt4SuKyw_z55PuvbpXSDUPiYc7WxEtfQBxiFAcdQHTi5DNlwWTUiSivyYEWpepKSlGD2KsR_Fk/s1600/POC.png" width="320" /> </a></span></span></div>
<div class="separator" style="clear: both; text-align: center;">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><br /></span></span></div>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;">I rep<span style="font-family: "verdana" , sans-serif;">orted thi<span style="font-family: "verdana" , sans-serif;">s</span> to <span style="font-family: "verdana" , sans-serif;">F</span>acebook secur<span style="font-family: "verdana" , sans-serif;">ity team<span style="font-family: "verdana" , sans-serif;">. And it <span style="font-family: "verdana" , sans-serif;">g<span style="font-family: "verdana" , sans-serif;">ot fixed<span style="font-family: "verdana" , sans-serif;">!</span></span></span></span></span></span></span></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;">
</span></span></span></span>
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;">Thanks to Facebook security team<span style="font-family: "verdana" , sans-serif;"> for <span style="font-family: "verdana" , sans-serif;">fi<span style="font-family: "verdana" , sans-serif;">xing <span style="font-family: "verdana" , sans-serif;">this one.</span></span></span></span></span></span></span></span><br />
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="line-height: 115%;"><br />
<br />
Report Timeline: <br />
</span><span style="color: black; mso-themecolor: text1;">============<br />
</span><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Dec 28, 2014 8:38pm </span><span style="color: black; mso-themecolor: text1;">- Report Sent<br />
</span><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Jan 3, 2015 3:01am </span><span style="color: black; mso-themecolor: text1;">- Escalation by Facebook<br />
</span><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Jan 15, 2015 2:08am</span><span style="color: black; mso-themecolor: text1;"> - Fix Deployed by Facebook</span></span></span></span><br />
<div class="MsoNormal">
<span style="font-family: "trebuchet ms" , sans-serif;"><span style="font-size: small;"><span style="font-family: "verdana" , sans-serif;"><span style="mso-bidi-font-family: "Times New Roman"; mso-fareast-font-family: "Times New Roman";">Mar 6, 2015 11:11pm</span><span style="color: black; mso-themecolor: text1;"> - Bounty Awarded of<span style="mso-spacerun: yes;"> </span>$1000 USD by Facebook :) </span></span></span></span></div>
</div>
shailesh sutharhttp://www.blogger.com/profile/10357106566894248676noreply@blogger.com6