Thursday, 12 June 2014

Sunday, 1 September 2013

Delete any Photo from Facebook by Exploiting Support Dashboard

08:42 Posted by Arul Kumar 100 comments


Hi,
I would like to share one of Critical Bug in facebook which leads to delete any photo from facebook without user interaction. At first,Facebook Team Could not able to recognize this bug.So I have sent them Video Proof of Concept & I have clearly Explained this bug with the help of demo accounts.So Facebook team has recognized my bug after sending Video POC.Interesting Part is,In that Video I have Exploited Mark Zuckerberg's Photo from his Photo Album & I did not remove his photo.Now it has been fixed fully & Facebook has rewarded me 12,500$(US Dollars) for finding this Critical Bug.In 2013,This is second time I am going to receive bounty from facebook.Already Facebook rewarded me 1500$ for finding 3 Open Redirectors.If you want to know about that, Click This

Dismissal Response:

 
Bug Approval:

 
Bounty Details:

 

Before going into Bug Explanation, Just think a second about this ???
How do you feel if anybody removed your photos from your facebook Profile which is having more likes & comments?

How do you feel if anybody removed important photos which you have tagged & Shared?

How do you feel if anybody removed your Suggested Posts?

Bug Details:
[#] Title:  Delete any Photo from Facebook by Exploiting Support Dashboard.
[#] Worth: 12,500$ (US Dollars)
[#] Status: Fixed
[#] Severity : Very High
[#] Author: Arul Kumar.V
[#] Email: vulnerable2arul@gmail.com

Description:
The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week.

Mainly this Flaw exists on Mobile domain.In Support Dashboard,If any reported photo was not removed by facebook team,user has the other option to send Photo Removal Request to owner via messages.If users sends a claim message,Facebook Server Will automatically generate Photo removal Link & it will send to the Owner.If Owner clicks that link,Photo will be removed.

This flaw exists while sending message.I can manually modify Photo_id & Owners Profile_id so that I can able to receive any photo removal link to my inbox.It would be done without any user’s Interaction.And also Facebook will not notify owner if his photo was removed.

Impact of this Bug:
1)      We can remove any photo from verified real users & Pages such as
     Mark Zuckerberg,Eminem,Rihanna and so on.

2)      We can remove any Shared & Tagged photos.

3)      We can remove any User’s photo from his Status & Photo album.

4)      We can remove any photo from a Page,Group and so on.

5)      We can remove Photo from Suggested Post & also from Comments.

Requirements:
These are the things that we need to exploit this bug:

1)       We need two Facebook accounts to delete anyones Photo Permanently.
One account will act as "Sender" to send claim message.Another account will act as "Receiver" who receives Photo removal Link from sender.

2)      Before deleting a Photo,We should gathert photo_id (fbid) which we need to remove and also profile_id of receiver to receive Photo Removal message.

How this Exploit Works:




Steps to Reproduce:

1)      As I told before,You should have use two real accounts to exploit this.
Consider one as "sender" & another as "Receiver".Make sure both are logged in at same time.

2)      For every photo there is having "fbid" Value.Click a photo at anywhere in facebook such as status updates,pages,groups,etc.Then look at the URL, You can able to find Photo_id value & copy it (i.e) Just copy down numerical "fbid=" Value.

3)       After that we should gather "Profile_id" Value of receiver profile.You are using two facebook accounts. Choose one profile as receiver to receive Photo Removal Link.
By Using this http://graph.facebook.com/  you can find "profile_id" of receiver. Just copy down Numerical profile id of receiver profile. 

4)      So we have gathered two values:
         a)Photo_id  (Target Photo to remove without user’s interaction)
         b)Profile_id  (To receive Photo Removal Request from sender)
               
Vulnerable URL & Parameters: 

https://m.facebook.com/report/social/?phase=0&next_phase=8&pp={"first_dialog_phase": 8,"support_dashboard_item_id":396746693760717,"next":"\/settings\/support\/details\/?fbid=396746693760717","actions_to_take":"{\"send_message\":\"send_message\"}"}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID

Look at the URL You can able to find "cid" & "rid" Parameters at end.These are vulnerable parameters from which we can able to send Photo Removal Link of any photo to my receivers inbox by modifying value of "photo_id" & "profile_id". 

where,
    cid=  Photo_id (Just include your target photo’s Id value as "cid" input )
    rid=  Profile_id (You need to include receiver’s Profile ID as "rid" input )

After Including those values ,Press enter.Then If you click "Continue" Button Facebook will automatically send photo Removal Link to your Receiver Profile.From your Receiver Profile,You can able to remove photo which you have added in that Vulnerable Parameter.Now this Bug has been Fixed fully.

Video POC:
Kindly Watch this Video in HD  for Best  Quality.





Screenshots:


















Now this Bug has Been Fixed Fully :) Here is the Screenshot :)





"தமிழனால் முடியாதது எதுவுமில்லையென்று உரக்கச் சொல் இவ்வுலகிற்கு"

Friday, 23 August 2013

Facebook Open URL Redirector Bugs worth 1500$

02:04 Posted by Arul Kumar 5 comments
Hi, I am going to share Open URL Redirection Vulnerability in facebook dialogs.I hope many of you already know that I got disappointed from facebook at my first attempt due to duplication issue.If you dont know Click this. I have already disclosed some open redirectors which was fixed now.I thought I have lost my bounty at my first attempt.But I did not lose my hope.Then i worked smartly,Within 2 days I have got another 3 open Redirectors newly in facebook domain.Finally it was approved by facebook & now they have rewarded me 1500$ in total which was my bounty ever.After that I got paid bounty amount of $12,500 for finding Photo Deletion Exploit.

Description:
[#] Title           :   Facebook Open URL Redirection Vulnerability 2013
[#] Status        :   Fixed
[#] Severity     :   Medium
[#] Works on  :   Any browser with any version
[#] Reward     :   $1500
[#] Author       :  Arul Kumar.V
I have found 3 Open URL Redirectors in facebook's dialogs.This Vulnerability is exploitable to all users who are signed into facebook.In this report,I have included how I have exploited and redirected facebook domain into malicious sites.

Impact of Vulnerability:
1. The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine.

2. The user may be subjected to phishing attacks by being redirected to an untrusted page.

3. This bug can be applicable to any user who are signed in which works at any browsers with any version

About Facebook Dialog:
Dialogs provide a simple, consistent interface to provide social functionality to people using your apps. Dialogs do not require any additional permissions because they require someone to directly interact with them. Dialogs can be used by your application in several contexts: in a website or mobile web app, within native iOS and native Android applications, or in a game on Facebook.com

Reference: https://developers.facebook.com/docs/dialogs/

Vulnerable Dialogs:
1) Send Dialog
2) Pagetab Dialog
3) Apprequest Dialog

POC Video:
Kindly Watch this Video in HD for Best Quality.

https://vimeo.com/79752880

Proof Of Concept:
For this bug, I got negative response from facebook at first.Because this open redirector required some user interaction.User should click okay button in order to redirect into malicious sites.Interesting part is I have bypassed that User Interaction and also facebook accepted it.I have shown everything in this above video.

Whenver a User clicks any one of vulnerable link they will get a error with submit button and if they click the okay button they will be redirected into other site. Here User Interaction is required.These are some vulnerable URL's which I reported at first. 

https://m.facebook.com/dialog/send?next=htp://google.com
https://m.facebook.com/dialog/pagetab?next=htp://google.com
https://m.facebook.com/dialog/apprequests?next=htp://google.com


Facebook Response: 
This is the first response which I got from Facebook after submitting above vulnerableURL's



Bypassing User Interaction:
So I have decided to bypass that User Interaction. What to do?? Let's have a look on Source Code.In Form Element,ID & Name of that element was "error_ok" . So I have added that "error_ok" parameter manually into vulnerable links.I have given some values to that "error_ok" parameter After adding this Parameter submit button has been bypassed and I got redirected into other sites directly.

 So after adding parameter, final Vulnerable URL becomes like this
https://m.facebook.com/dialog/send?next=htp://google.com&error_ok=arul
https://m.facebook.com/dialog/pagetab?next=htp://google.com&error_ok=arul https://m.facebook.com/dialog/apprequests?next=htp://google.com 
&error_ok=arul

Once again,I have sent above final Vulnerable URL to facebook :) This is their response.




Bounty Confirmation:
Finally Facebook confirmed this bug after one month and rewarded me $1500 for this finding
Thank You,
Arul Kumar.V