Bug in Facebook Acquisitions allows to access anyone's account | Writeup by Uttam Soren

Couple of years ago, an India  Security Researcher, Uttam Soren , found a bug in Facebook acquisition that allows to gain the access of any user account. He reported it to Facebook and Facebook rewarded him with $1000.

Let me continue his writeup with his own words...

Since I started Bug Hunting in 2014 I was trying to find bugs in Facebook but it already has too many bug hunters hunting it and making it more secure meaning it's not easy to find bugs on it. So I decided to look into facebook's acquisitions. I googled and found the list of facebook's acquisitions in wikepedia page (List of Mergers and Acquisitions by Facebook). That time Moves was the latest acquistion of Facebook & Moves is very much in scope.

I downloaded the android app on my friend's android phone as the app was not supported on my phone. Created an account using the app and then logged in to my newly created Moves account on my laptop. It was a very simple website, you login to your account, you can see your Account Info, Connected Apps, Change your Email address, Change your Password, Sign Out of Phone, Export Data or Delete Account. Found nothing till 1/2 hours, thought it is well secured. Then decided to check the OWASP's top 10 vulnerabilities for 2013 and Broken Authentication & Session Management was on #2. Started to test Broken Authentication & Session Management on Moves. Started Burp Suite and configured it to intercept my browser's requests & responses. Logged in to Moves account and clicked on Account Info, captured the request on Burp and sended it to Burp Repeater then clicked on Sign Out. After signed out of account replayed the captured request and in response there was no error, the captured request was still valid.

The PLAY_SESSION=[value] was not expiring after users sign out of account. Same PLAY_SESSION=[value] could be used again & again to access the account without giving any login credentials. So if any attacker somehows got that PLAY_SESSION=[value] could access the account without knowing the users credendtials. Aslo if users finds that their account has been compromised then users would change their passwords to secure their accouts but in Moves session was not getting invalidated after any password change. So it clearly means that if attacker had got users PLAY_SESSION=[value] then their is no option for users to recover their accounts.

Quickly reported it to Facebook. They fixed it and rewarded me with $1000 USD and listed on their Whitehat Thanks page.

Timeline :
=============
SUN, JUN 15, 2014 6:48 PM - Report Sent

TUE, JUN 17, 2014 3:49 AM - Escalation by Facebook

WED, JUN 18, 2014 11:31 PM - Fix Deployed by Facebook

THU, JUN 19, 2014 2:36 AM - Bounty Awarded of $1000 USD by Facebook