Monday, 1 February 2016

Information Disclosure in Facebook - PoC by Shailesh Suthar


I found a vulnerability in which i was able to disclose following information of Facebook users.

> Full name of User
> Mobile number or Email Address
> Profile Pic

Endpoint :

POST /login/async/known_user_block/?login_id=[MOBILE_NUMBER or EMAIL_ADDRESS] HTTP/1.1
Content-Length: 44


This endpoint was not rate limited!

It was not a normal user enumeration because full name and profile pic were disclosed and also, mobile numbers/email addresses with "only me" privacy were disclosed via this endpoint!

That's all ;)

Actually, Mentioned endpoint was available to just a very small subset of users (only a very small subset of users could use the endpoint) so impact was very low otherwise this might be called a perfect privacy leakage issue!

Because of very limited impact, i got a minimum reward from Facebook.
Thanks to Facebook security team for fixing this one!

Due to this one and one more, I am listed in Facebook Hall of Fame - 2016!

Update : On 10th Feb'16, I got an email from Facebook security team on this ticket that "After further review of this issue, we have decided to increase the reward to $1500 USD total."

I am very thankful to The Facebook Security Team for taking another look of this issue without my request! :-) It's impressive!

Thanks for reading!
Twitter :

Report Timeline:
5 December 2015    - Report Sent
8 December 2015    - Asked for more information by Facebook (Due to abnormal endpoint)
8 December 2015    - More information sent
18 December 2015  - Escalation by Facebook
29 December 2015  - Bounty Awarded of $500 USD by Facebook :) (First Bounty)
8 January 2016       - Fix Deployed by Facebook
10 February 2016    - Bounty Awarded of $1000 USD by Facebook :) (Second Bounty)