Monday, 1 February 2016

Information Disclosure in Facebook - PoC by Shailesh Suthar



Hello!

I found a vulnerability in which i was able to disclose following information of Facebook users.

> Full name of User
> Mobile number or Email Address
> Profile Pic

Endpoint :

POST /login/async/known_user_block/?login_id=[MOBILE_NUMBER or EMAIL_ADDRESS] HTTP/1.1
Host: www.facebook.com
Content-Length: 44

__user=0&__a=1&__dyn=x&__req=1&lsd=x&__rev=x

This endpoint was not rate limited!

It was not a normal user enumeration because full name and profile pic were disclosed and also, mobile numbers/email addresses with "only me" privacy were disclosed via this endpoint!

That's all ;)

Actually, Mentioned endpoint was available to just a very small subset of users (only a very small subset of users could use the endpoint) so impact was very low otherwise this might be called a perfect privacy leakage issue!

Because of very limited impact, i got a minimum reward from Facebook.
Thanks to Facebook security team for fixing this one!

Due to this one and one more, I am listed in Facebook Hall of Fame - 2016!

Update : On 10th Feb'16, I got an email from Facebook security team on this ticket that "After further review of this issue, we have decided to increase the reward to $1500 USD total."

I am very thankful to The Facebook Security Team for taking another look of this issue without my request! :-) It's impressive!

Thanks for reading!
  
Twitter : https://twitter.com/shailesh4594

Report Timeline:
============
5 December 2015    - Report Sent
8 December 2015    - Asked for more information by Facebook (Due to abnormal endpoint)
8 December 2015    - More information sent
18 December 2015  - Escalation by Facebook
29 December 2015  - Bounty Awarded of $500 USD by Facebook :) (First Bounty)
8 January 2016       - Fix Deployed by Facebook
10 February 2016    - Bounty Awarded of $1000 USD by Facebook :) (Second Bounty)
 

14 comments :

  1. Great Shailesh, also regarding the wordpress security issue that you reported, if you could write on that as well.

    ReplyDelete
    Replies
    1. Thanks! :-)
      Sure, I'll write about WordPress security issue in upcoming days.

      Delete
  2. Are you available for part-time jobs? If yes, please contact me at saimohit2000@forward.cat(or @gmail.com)

    ReplyDelete
  3. Congratulations Shailesh. Well done comrade. Good to see these type of minor security issues are being fixed. This could certainly be used by the wrong people under the right circumstances just like any vulnerabilities. Well done sir :).

    ReplyDelete
  4. Kudos Champ! I did see you on Quora's Hall of fame, then stumbled upon your twitter and finally this. Keep it going

    ReplyDelete
  5. These are some great tools that i definitely use for SEO work. This is a great list to use in the future..
    Facebook

    ReplyDelete