Here's the full story of how I discovered a Facebook bug worth $8,000 USD by discovering three (3) different vulnerabilities in a Facebook Page.
After discovering the new feature, I immediately look for a flaw and quickly found three (3) vulnerabilities:
- Unauthorized Access in General Settings - By default, the Admin can only access this.
- Vertical Privilege Escalation in Download Page feature
- Insecure Direct Object Reference in Download Page feature
I conducted some research about Facebook Pages and found this page:
With that, I already knew that there's a security issue because as an Editor of a Facebook page I was able to access the General Settings.
I continued conducting some research and found this another page:
The "Download Page" feature is accessibly to Facebook Page Admin only. If you're not an admin, you are not allowed to download a copy of the page.
Initially, I created two (2) different accounts and one (1) facebook page.
- Account A: Admin
- Account B: Editor
Using the Admin-role account, I downloaded a copy of the Facebook page and captured its request using Burpsuite tool.
The POST requests are like this:
With that kind of request, I immediately think of other possible scenarios like "What if I can also download a copy of other Facebook pages?"
But before that, I continued exploiting the Privilege Escalation. So I sent the POST requests to Repeater Tab of Burp and changed the sessions from Admin account's session to Editor account's session.
Sent the requests back to Facebook and it worked! I was able to download the copy of the Facebook page without having an admin role.
Insecure Direct Object Reference
Going back to other scenario, I used the same POST request and just changed the value of page_id parameter from 12345 to other Page ID of other Facebook pages.
Then I sent the requests back to Facebook and it worked!
How did Facebook Security Team fixed these vulnerabilities?
- If you’re an Editor of a Facebook Page, you are no longer access the General Settings anymore and you will be redirected to About Section of the Facebook Page.
- They temporarily took down the new feature to fix the issues internally.
|Date and Time||Activity|
|Jan 6, 2016 1:44 AM||Report submitted to Facebook|
|Jan 7, 2016 2:16 AM||Angelo of FB Security Team responded that they will investigate the issue.|
|Jan 9, 2016 3:44 AM||Jimio of FB Security Team responded that they patched the issue.|
|Jan 9, 2016 3:50 AM||I responded that the issue is no longer working on my end.|
|Jan 9, 2016 7:43 AM||Facebook rewarded me $8,000 USD Bug Bounty.|