Hello!
I found a vulnerability in which i was able to disclose following information of Facebook users.
> Full name of User
> Mobile number or Email Address
> Profile Pic
Endpoint :
POST /login/async/known_user_block/?login_id=[MOBILE_NUMBER or EMAIL_ADDRESS] HTTP/1.1
Host: www.facebook.com
Content-Length: 44
__user=0&__a=1&__dyn=x&__req=1&lsd=x&__rev=x
This endpoint was not rate limited!
It was not a normal user enumeration because full name and profile pic were disclosed and also, mobile numbers/email addresses with "only me" privacy were disclosed via this endpoint!
That's all ;)
Actually, Mentioned endpoint was available to just a very small subset of users (only a very small subset of users could use the endpoint) so impact was very low otherwise this might be called a perfect privacy leakage issue!
Thanks to Facebook security team for fixing this one!
Due to this one and one more, I am listed in Facebook Hall of Fame - 2016!
Update : On 10th Feb'16, I got an email from Facebook security team on this ticket that "After further review of this issue, we have decided to increase the reward to $1500 USD total."
I am very thankful to The Facebook Security Team for taking another look of this issue without my request! :-) It's impressive!
Thanks for reading!
Twitter : https://twitter.com/shailesh4594
Report Timeline:
============
5 December 2015 - Report Sent
8 December 2015 - Asked for more information by Facebook (Due to abnormal endpoint)
8 December 2015 - More information sent
18 December 2015 - Escalation by Facebook
29 December 2015 - Bounty Awarded of $500 USD by Facebook :) (First Bounty)
8 January 2016 - Fix Deployed by Facebook
10 February 2016 - Bounty Awarded of $1000 USD by Facebook :) (Second Bounty)
10 February 2016 - Bounty Awarded of $1000 USD by Facebook :) (Second Bounty)
Nice :)
ReplyDeleteThanks :-)
DeleteThanks :-)
ReplyDeletegr8 work :)
ReplyDeleteThank You! :-)
DeleteGreat Shailesh, also regarding the wordpress security issue that you reported, if you could write on that as well.
ReplyDeleteThanks! :-)
DeleteSure, I'll write about WordPress security issue in upcoming days.
Are you available for part-time jobs? If yes, please contact me at saimohit2000@forward.cat(or @gmail.com)
ReplyDeleteCongratulations Shailesh. Well done comrade. Good to see these type of minor security issues are being fixed. This could certainly be used by the wrong people under the right circumstances just like any vulnerabilities. Well done sir :).
ReplyDeleteThanks a lot :-)
DeleteKudos Champ! I did see you on Quora's Hall of fame, then stumbled upon your twitter and finally this. Keep it going
ReplyDeleteThank you so much! :-)
DeleteThese are some great tools that i definitely use for SEO work. This is a great list to use in the future..
ReplyDeleteFacebook
I wish cooperate with you. I will pay for money about 200k dollar. Only you are a hacker.
ReplyDelete