السبت، 21 يوليو 2018

IDOR FACEBOOK: malicious person add people to the "Top Fans"

Hi , hackers all over the world



Today I will write the story of this publication that you published when I discovered his security issues on Facebook

  • General information
Vulnerability Type
  • Privacy / Authorization
Product Area
  • Pages

  • Technical details of the bug.
       After digging around in Facebook looking for possible bug’s, I watched Facebook recently added a feature that allows fans to allow them to submit requests to be categorized in their favorite pages as their "Top Fans". Facebook has made this optional. If you want to send a request through the notification I received to add it to the list.

After poking around in the HTTP requests, I found that the endpoint to send an request to join the "Top fans" list did not verify the sender is actually the sender.
The security flaw you have discovered allows a malicious person add users to the list of the "Top fans", without requiring the user to do so by sending or approving the request.

  • Impact
The impact of this situation on privacy is greater than security.

An attacker can know people who are interested in a page by simply following comments or like them and then add them to the list of the "Top fans".

The attacker can not access any user data, but I can be interacting with a page, but I do not like content. I think my classification as one of my most unpopular users is a violation of my privacy.
  • Steps
1. Facebook sends messages to all users who follow certain pages and Facebook considers them the "Top Fans" of the page.

2. The malicious person clicks on the notification of the "Top Fans" Facebook has sent him.

https://web.facebook.com/top_fans/fan_opt_in_dialog/?page_id[PageID]&fan_id= [UserID]


3. After clicking on the "display Top Fans badge" icon, the request is intercepted.



4. The attacker will modify the link to the victim's information
https://web.facebook.com/top_fans/fan_opt_in/?status=OPTED_IN&entry_point=notification&creator_id[Page ID]&fan_id=[Victim ID]&dpr=1
5. Send the request after editing.

6. Now the target person has been added to the list of the "Top Fans" without his knowledge or to send the request.




  • PoC


  • TimeLine
27-Jun-2018 The report was submitted             
27-Jun-2018 The vulnerability was accepted 
29-Jun-2018 The security team told me they were patching Vulnerability.
29-Jun-2018 Re-testing and showing that the security defect still exists
05-Jul-2018  Reopen the report
17-Jul-12018 Patches were done
19-Jul-2018  Reward paid


ليست هناك تعليقات:

إرسال تعليق

أخبار

اخبار تقنية (132) اندرويد (89) تقنية (75) مسابقة أفضل تدوينة (60) ايفون (51) تطبيقات (41) فيسبوك - facebook (24) واتساب - whatsapp (23) جوجل - Google (13) حرب الالكترونية (10) سامسونغ - Samsung (9) يوتيوب - youtube (9) WiFi (7) تقارير و دراسات (7) منوعات (7) هواتف - phone (7) SS7 (6) apple (6) hacker news (6) zoom (6) VPN (5) hacker (5) instagram - أنستقرام (5) SCADA (4) 5G (3) IOS (3) Programming Language (3) android (3) android malware (3) artificial intelligence (3) iphone (3) network (3) os (3) أبتكارات و أختراعات (3) تعلم البرمجة (3) هواوي - huawei (3) +Apple TV (2) Android Trojan (2) COVID-19 (2) LiFi (2) Twitter (2) WhatsApp Desktop (2) WhatsApp Web (2) application (2) checklist (2) coronavirus (2) dns (2) google paly (2) microsoft teams (2) news (2) php (2) privacy (2) scan netwok (2) الجيل الخامس (2) باركود (2) برمجة (2) تويتر (2) خصوصية (2) روبوت (2) روت - root (2) سوني - Sony (2) شبكات (2) قواعد البيانات (2) نظام التشغيل (2) واي فاي (2) AI (1) Air Force (1) AirPlay (1) Apple TV (1) Bitdefender (1) Bluetooth (1) CSSLP (1) Cambridge Analytica (1) Certified (1) Cisco (1) Comodo (1) CryptoAPI (1) Darknet (1) Defcon (1) DoH (1) E2EE (1) ECES (1) Egregor (1) FIN8 (1) Fitbit (1) Front end (1) Full HD (1) GCFA (1) GDPR (1) GPEN (1) GandCrab (1) Google Takeout (1) HTC (1) Hidden Cobra (1) IoT (1) JavaScript (1) Kodachi (1) LG (1) Lazarus Group (1) Meta (1) MongoDB (1) Netflix (1) OSINT (1) Oneplus (1) Oneplus 8 filter (1) Operating System (1) R (1) RCM (1) RCS (1) RitaVPN (1) STEGANOGRAPHY (1) Sonos (1) StarOS (1) TCP/IP (1) TOR (1) TOR Browser (1) TV show (1) Trend Micro (1) USITC (1) Ultra HD (1) VISA (1) Vultur (1) WATSAPP DARK (1) WhatsApp hacked (1) White Rabbit (1) Yandex (1) anonymity (1) big data (1) bitcoin (1) browser (1) call (1) camera (1) certification (1) cloud computing (1) cross-site (1) dark mode (1) darkmode (1) database (1) deep learning (1) deepwep (1) faceebok Messenger (1) fitbit watch (1) google project zero (1) goolge (1) hack life - اخترق حياتك (1) hacking satellite (1) iTunes (1) intercepter-ng (1) isp (1) joker (1) lan (1) moves (1) nessus (1) nmap (1) python (1) robotics (1) robotics revolution (1) smb1 (1) ssl (1) tarcking (1) tls (1) video call (1) voip (1) wan (1) web app (1) windows (1) أكاديمة حسوب (1) التعلّم العميق (1) الويب العميق (1) الويب المظلم (1) انترنت الاشياء (1) بيتكون (1) تطبيقات الطقس (1) تطبيقات الويب (1) تقنية 5G (1) تقينة الجيل الخامس (1) خدمات سحابيه (1) خوارزمية القيصر (1) دارك نبيت (1) ستاكس نت (1) شودان (1) علم أخفاء البيانات (1) علم الحاسوب (1) كتب (1) لغات البرمجة (1) مراجعات (1) مزود الخدمة (1) نصائح تقنية (1) هندسة البرمجيات (1)