August 31, 2013 · vulnerability facebook bugbounty ·

Delete any Photo from Facebook by Exploiting Support Dashboard

6

Hello ,

I would like to share one of Critical Bug on facebook which leads to deleting any photo without user interaction. At first, Facebook Team Could not able to reproduce this bug.But,I did not give up.Later, I have sent them Video Proof of Concept & I have clearly Explained this bug with the help of demo accounts.Now, this security vulnerability has been fully patched & Facebook has rewarded me 12,500$ for reporting this Security Vulnerability.

Initial Response from Facebook

1

Bug Approval

2

Bounty Confirmation

3

Observation

The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week.(Excerpt from Facebook Notes)

Mainly this Flaw exists in the Mobile domain.In Support Dashboard, If any reported photo was not removed by the Facebook team, user has the other option to send Photo Removal Request to the photo owner via messages.If users send a claim message, Facebook Server Will automatically generate Photo removal Link & it will send to the Owner.If Owner clicks that link, Photo will be removed.

Due to improper server-side validation, An attacker can exploit this vulnerability by manipulating Photo_id & Owners Profile_id in order to receive photo removal link of any photo in his messages.Later, it is very easy for an attacker to remove the photo of any user by visiting the photo removal Link.Also,Facebook does not even notify users if their photo is removed from their account.

How this Vulnerability Works?

4

Vulnerable URL

5
In the mentioned URL, cid & rid parameters are vulnerable in which an attacker can able to send Photo Removal Link of any photo to his inbox by modifying the value of "photo_id" & "profile_id".

where,
cid= Photo_id (Target Photo which needs to removed)
rid= Profile_id (An attackers profile id )

Video POC

Hall of Fame

fb

Comments powered by Disqus