on Friday, February 24, 2017

When a new Facebook account is created a verification code is sent to the email of the user to confirm their identity. Email contains an option to disavow the confirmation link in case the email was misused or used by someone else to create an account.

The link behind "Didn't sign up for Facebook?" have a confirmation code in it, which is a 5 digit code :

The parameter "c" could be bruteforced by an attacker to find the right confirmation code and disable someone's unverified Facebook account. 

Facebook fixed this after it was reported to the security team.

Report sent : 29 Aug 2014
Escalation : 29 Aug 2014
Fix : 23 October 2014
Bounty awarded : 23 October 2014
on Wednesday, August 12, 2015
on Thursday, March 26, 2015

I have wrote about an interesting clickJacking bug I found in Facebook in a friend's blog, hope you will find it useful.

on Thursday, November 6, 2014

Oculus VR - one of the Facebook acquisitions,was vulnerable to many severe issues including RCE,multiple SQL-injection,and multiple CSRFs.

Many researchers such as Jon of Bitquark,Inti De Ceukelaire,Josip Franjković squeezed it to a more secure level.I knew that all the low hanging fruits might had gone.Nevertheless,I gave it a shot.It is my second finding on Oculus; first was something which allowed me to add anyone's email to an account and verify it without their interaction by crafting a verification link.This is also somewhat similar,which enabled me to reset someone's password and allowed to authenticate into their account.Each time I reproduced the request,got access to different accounts,which in turn changed their password as well.

After trying with many known tricks to bypass the protection there, and with zero results, an idea struck my mind. This trick used arrays in query parameters to confuse the web application and give out what I really wanted.


A nice bounty followed up after it was reported to the security team.

Hope you guys enjoyed it.
on Saturday, December 7, 2013

This post is about a simple bug I found in Facebook which allowed me to chat with any non-friend minor.
It is a privacy issue where a user could send messages to a minor who is a total stranger, when they shouldn't be able to do.

According to Facebook,
Minors can receive messages only from people who are friends of friends and people who have their contact information (ex: email address or phone number). This may include adults they don’t know.

But there it was easy to send messages to a minor for an unknown adult.

For a minor who have changed his/her message preferences from Basic Filtering to Strict Filtering (for more privacy)
in privacy settings,this simple trick worked.

Do a graph check to get  fbid.

https://www.facebook.com/messages/fbid of the minor

Name of the minor appeared in the field "To:"
I sent a "hi" without seeing any error as usual.
Then I logged in to minor's account to check if the message was received. The message showed up right in their inbox.

Issue was fixed and rewarded me a bounty after it was reported to the security team.
Powered by HackTheCops. Powered by Blogger.