السبت، 21 يوليو 2018

IDOR FACEBOOK: malicious person add people to the "Top Fans"

Hi , hackers all over the world



Today I will write the story of this publication that you published when I discovered his security issues on Facebook

  • General information
Vulnerability Type
  • Privacy / Authorization
Product Area
  • Pages

  • Technical details of the bug.
       After digging around in Facebook looking for possible bug’s, I watched Facebook recently added a feature that allows fans to allow them to submit requests to be categorized in their favorite pages as their "Top Fans". Facebook has made this optional. If you want to send a request through the notification I received to add it to the list.

After poking around in the HTTP requests, I found that the endpoint to send an request to join the "Top fans" list did not verify the sender is actually the sender.
The security flaw you have discovered allows a malicious person add users to the list of the "Top fans", without requiring the user to do so by sending or approving the request.

  • Impact
The impact of this situation on privacy is greater than security.

An attacker can know people who are interested in a page by simply following comments or like them and then add them to the list of the "Top fans".

The attacker can not access any user data, but I can be interacting with a page, but I do not like content. I think my classification as one of my most unpopular users is a violation of my privacy.
  • Steps
1. Facebook sends messages to all users who follow certain pages and Facebook considers them the "Top Fans" of the page.

2. The malicious person clicks on the notification of the "Top Fans" Facebook has sent him.

https://web.facebook.com/top_fans/fan_opt_in_dialog/?page_id[PageID]&fan_id= [UserID]


3. After clicking on the "display Top Fans badge" icon, the request is intercepted.



4. The attacker will modify the link to the victim's information
https://web.facebook.com/top_fans/fan_opt_in/?status=OPTED_IN&entry_point=notification&creator_id[Page ID]&fan_id=[Victim ID]&dpr=1
5. Send the request after editing.

6. Now the target person has been added to the list of the "Top Fans" without his knowledge or to send the request.




  • PoC


  • TimeLine
27-Jun-2018 The report was submitted             
27-Jun-2018 The vulnerability was accepted 
29-Jun-2018 The security team told me they were patching Vulnerability.
29-Jun-2018 Re-testing and showing that the security defect still exists
05-Jul-2018  Reopen the report
17-Jul-12018 Patches were done
19-Jul-2018  Reward paid


ليست هناك تعليقات:

إرسال تعليق