Hi , hackers all over the world
Today I will write the story of this publication that you published when I discovered his security issues on Facebook
- General information
Vulnerability Type
- Privacy / Authorization
Product Area
- Pages
- Technical details of the bug.
After digging around in Facebook looking for possible bug’s, I watched Facebook recently added a feature that allows fans to allow them to submit requests to be categorized in their favorite pages as their "Top Fans". Facebook has made this optional. If you want to send a request through the notification I received to add it to the list.
After poking around in the HTTP requests, I found that the endpoint to send an request to join the "Top fans" list did not verify the sender is actually the sender.
The security flaw you have discovered allows a malicious person add users to the list of the "Top fans", without requiring the user to do so by sending or approving the request.
-
Impact
The impact of this situation on privacy is greater than security.
An attacker can know people who are interested in a page by simply following comments or like them and then add them to the list of the "Top fans".
The attacker can not access any user data, but I can be interacting with a page, but I do not like content. I think my classification as one of my most unpopular users is a violation of my privacy.
-
Steps
1. Facebook sends messages to all users who follow certain pages and Facebook considers them the "Top Fans" of the page.
2. The malicious person clicks on the notification of the "Top Fans" Facebook has sent him.
https://web.facebook.com/top_fans/fan_opt_in_dialog/?page_id[PageID]&fan_id= [UserID]
3. After clicking on the "display Top Fans badge" icon, the request is intercepted.
4. The attacker will modify the link to the victim's information
https://web.facebook.com/top_fans/fan_opt_in/?status=OPTED_IN&entry_point=notification&creator_id[Page ID]&fan_id=[Victim ID]&dpr=1
5. Send the request after editing.
6. Now the target person has been added to the list of the "Top Fans" without his knowledge or to send the request.
حصلت على أعتراف من الفريق الامني بشركة Facebook لأكتشافي ثغره أمنية في خدمات الشركة الخاصه بالصفحات،الخلل الامني تم معالجته من قبل الشركة ولاكن بعد أعادتي للفحص تبين انني ما زلت أستطيع أعادة توليد الثغره لذلك تم أعادة النظر في الترقيع الامني، والثغره حاليا قيد المعالجه pic.twitter.com/4D2HA19Uhd
— Update - أب ديت (@UpdateLap) July 9, 2018
- PoC
- TimeLine
27-Jun-2018 The report was submitted
27-Jun-2018 The vulnerability was accepted
29-Jun-2018 The security team told me they were patching Vulnerability.
29-Jun-2018 Re-testing and showing that the security defect still exists
05-Jul-2018 Reopen the report
17-Jul-12018 Patches were done
19-Jul-2018 Reward paid
After digging around in Facebook looking for possible bug’s, I watched Facebook recently added a feature that allows fans to allow them to submit requests to be categorized in their favorite pages as their "Top Fans". Facebook has made this optional. If you want to send a request through the notification I received to add it to the list.
After poking around in the HTTP requests, I found that the endpoint to send an request to join the "Top fans" list did not verify the sender is actually the sender.
The security flaw you have discovered allows a malicious person add users to the list of the "Top fans", without requiring the user to do so by sending or approving the request.
- Impact
The impact of this situation on privacy is greater than security.
An attacker can know people who are interested in a page by simply following comments or like them and then add them to the list of the "Top fans".
The attacker can not access any user data, but I can be interacting with a page, but I do not like content. I think my classification as one of my most unpopular users is a violation of my privacy.
- Steps
2. The malicious person clicks on the notification of the "Top Fans" Facebook has sent him.
https://web.facebook.com/top_fans/fan_opt_in_dialog/?page_id[PageID]&fan_id= [UserID]
4. The attacker will modify the link to the victim's information
https://web.facebook.com/top_fans/fan_opt_in/?status=OPTED_IN&entry_point=notification&creator_id[Page ID]&fan_id=[Victim ID]&dpr=15. Send the request after editing.
6. Now the target person has been added to the list of the "Top Fans" without his knowledge or to send the request.
حصلت على أعتراف من الفريق الامني بشركة Facebook لأكتشافي ثغره أمنية في خدمات الشركة الخاصه بالصفحات،الخلل الامني تم معالجته من قبل الشركة ولاكن بعد أعادتي للفحص تبين انني ما زلت أستطيع أعادة توليد الثغره لذلك تم أعادة النظر في الترقيع الامني، والثغره حاليا قيد المعالجه pic.twitter.com/4D2HA19Uhd— Update - أب ديت (@UpdateLap) July 9, 2018
- PoC
- TimeLine
27-Jun-2018 The report was submitted
27-Jun-2018 The vulnerability was accepted
29-Jun-2018 The security team told me they were patching Vulnerability.
29-Jun-2018 Re-testing and showing that the security defect still exists
05-Jul-2018 Reopen the report
17-Jul-12018 Patches were done
19-Jul-2018 Reward paid
ليست هناك تعليقات:
إرسال تعليق