Hi, I would like to share one of
Critical Bug in facebook which leads to delete any photo from facebook without
user interaction. At first,Facebook Team Could not able to recognize this
bug.So I have sent them Video Proof of Concept & I have clearly Explained
this bug with the help of demo accounts.So Facebook team has recognized my bug after sending Video POC.Interesting Part is,In that Video I
have Exploited Mark Zuckerberg's Photo from his Photo Album & I did
not remove his photo.Now it has been fixed fully & Facebook has rewarded me
12,500$(US Dollars) for finding this Critical Bug.In 2013,This is second
time I am going to receive bounty from facebook.Already Facebook rewarded me 1500$ for finding 3 Open Redirectors.If you want to know about that, Click This
Dismissal Response: Bug Approval: Bounty Details:
Before going into Bug Explanation, Just think a second about this ???
How do you feel if anybody removed your photos from your facebook
Profile which is having more likes & comments?
How do you feel if anybody removed important photos which you have
tagged & Shared? How do you feel if anybody removed your Suggested Posts?
[#]Title:Delete any Photo
from Facebook by Exploiting Support Dashboard.
[#]Reward: 12,500$ (US Dollars)
[#] Severity : Very High
[#] Author:Arul Kumar.V
[#] Email: firstname.lastname@example.org
Support Dashboard is a portal designed to help you track the progress of the
reports you make to Facebook. From your Support Dashboard, you can see if
your report has been reviewed by Facebook employees who assess reports 24 hours
a day, seven days a week.
this Flaw exists on Mobile domain.In Support Dashboard,If
any reported photo was not removed by facebook team,user has the other option
to send Photo Removal Request to owner via messages.If users sends a claim
message,Facebook Server Will automatically generate Photo removal Link & it
will send to the Owner.If Owner clicks that link,Photo will be removed.
This flaw exists while sending message.I can
manually modify Photo_id & OwnersProfile_id so that I can able to receive any
photo removal link to my inbox.It would be done without any user’s
Interaction.And also Facebook will not notify owner if his photo was removed.
Impact of this Bug:
1)We can remove any photo from verified real users
& Pages such as Mark Zuckerberg,Eminem,Rihanna and so on.
can remove any Shared & Tagged photos.
can remove any User’s photo from his Status & Photo album.
can remove any photo from a Page,Group and so on.
5)We can remove Photo from Suggested Post &
also from Comments.
These are the things that we need to exploit this bug:
1)We need two Facebook accounts to delete anyones
One account will act as "Sender" to send claim message.Another account will act as "Receiver" who receives Photo removal Link from
deleting a Photo,We should gathert photo_id (fbid) which we need to remove and
also profile_id of receiver to receive Photo Removal message.
How this Exploit Works:
Steps to Reproduce:
1)As I told before,You should have use two real
accounts to exploit this.
Consider one as "sender" & another as "Receiver".Make
sure both are logged in at same time.
2)For every photo there is having "fbid" Value.Click
a photo at anywhere in facebook such as status updates,pages,groups,etc.Then
look at the URL, You can able to find Photo_id value & copy it (i.e) Just copy down
numerical "fbid=" Value.
3)After that we should gather "Profile_id" Value
of receiver profile.You are using two facebook accounts. Choose one profile as
receiver to receive Photo Removal Link.
By Using this http://graph.facebook.com/
you can find "profile_id" of receiver. Just copy down Numerical profile id of receiver profile.
4)So we have gathered two values:
a)Photo_id(Target Photo to remove without user’s interaction)
b)Profile_id(To receive Photo Removal Request from sender)
Look at the URL
You can able to find "cid" & "rid" Parameters at end.These are vulnerable
parameters from which we can able to send Photo Removal Link of any photo to my receivers inbox by modifying value of "photo_id"
(Just include your target photo’s Id value as "cid" input )
rid=Profile_id (You need to include receiver’s Profile ID as "rid" input )
After Including those values ,Press enter.Then If you click "Continue" Button Facebook will automatically send photo Removal Link to your Receiver Profile.From your Receiver Profile,You can able to remove photo which you have added in that Vulnerable Parameter.Now this Bug has been Fixed fully.
Video POC: Kindly Watch this Video in HD for Best Quality.
Now this Bug has Been Fixed Fully :) Here is the Screenshot :)
"தமிழனால் முடியாதது எதுவுமில்லையென்று உரக்கச் சொல் இவ்வுலகிற்கு"
I am going to share Open URL Redirection Vulnerability in
facebook dialogs.I hope many of you already know that I got disappointed
from facebook at my first attempt due to duplication issue.If you dont
know Click this.
I have already disclosed some open redirectors which was fixed now.I
thought I have lost my bounty at my first attempt.But I did not lose my
hope.Then i worked smartly,Within 2 days I have got another 3 open
Redirectors newly in facebook domain.Finally it was approved by facebook
& now they have rewarded me 1500$ in total which was my bounty ever.After that I got paid bounty amount of $12,500 for finding Photo Deletion Exploit.
[#] Title : Facebook Open URL Redirection Vulnerability 2013
[#] Status : Fixed
[#] Severity : Medium
[#] Works on : Any browser with any version
[#] Reward : $1500
[#] Author : Arul Kumar.V
I have found 3 Open URL Redirectors in facebook's dialogs.This
Vulnerability is exploitable to all users who are signed into
facebook.In this report,I have included how I have exploited and redirected facebook domain into malicious sites.
Impact of Vulnerability:
1. The user may be redirected to an untrusted page that contains malware which may then compromise the user's machine.
2. The user may be subjected to phishing attacks by being redirected to an untrusted page.
3. This bug can be applicable to any user who are signed in which works at any browsers with any version
About Facebook Dialog:
Dialogs provide a simple, consistent interface to provide social
functionality to people using your apps. Dialogs do not require any
because they require someone to directly interact with them. Dialogs
can be used by your application in several contexts: in a website or
mobile web app, within native iOS and native Android applications, or in a game on Facebook.com
Proof Of Concept:
this bug, I got negative response from facebook at first.Because this
open redirector required some user interaction.User should click okay
button in order to redirect into malicious sites.Interesting part is I
have bypassed that User Interaction and also facebook accepted it.I have
shown everything in this above video.
Whenver a User clicks any one of vulnerable link they will get a error with submit
button and if they click the okay button they will be redirected into
other site. Here User Interaction is required.These
are some vulnerable URL's which I reported at first.
This is the first response which I got from Facebook after submitting above vulnerableURL's
Bypassing User Interaction:
I have decided to bypass that User Interaction. What to do?? Let's have
a look on Source Code.In Form Element,ID & Name of that element was "error_ok" . So I have added that "error_ok"parameter
manually into vulnerable links.I have given some values to that "error_ok" parameter After adding this Parameter submit
button has been bypassed and I got redirected into other sites directly.
So after adding parameter, final Vulnerable URL becomes like this https://m.facebook.com/dialog/send?next=htp://google.com&error_ok=arul https://m.facebook.com/dialog/pagetab?next=htp://google.com&error_ok=arul https://m.facebook.com/dialog/apprequests?next=htp://google.com &error_ok=arul
Once again,I have sent above final Vulnerable URL to facebook :) This is their response.
Finally Facebook confirmed this bug after one month and rewarded me $1500 for this finding