Sunday, 1 September 2013

Delete any Photo from Facebook by Exploiting Support Dashboard

08:42 Posted by Arul Kumar 100 comments


Hi,
I would like to share one of Critical Bug in facebook which leads to delete any photo from facebook without user interaction. At first,Facebook Team Could not able to recognize this bug.So I have sent them Video Proof of Concept & I have clearly Explained this bug with the help of demo accounts.So Facebook team has recognized my bug after sending Video POC.Interesting Part is,In that Video I have Exploited Mark Zuckerberg's Photo from his Photo Album & I did not remove his photo.Now it has been fixed fully & Facebook has rewarded me 12,500$(US Dollars) for finding this Critical Bug.In 2013,This is second time I am going to receive bounty from facebook.Already Facebook rewarded me 1500$ for finding 3 Open Redirectors.If you want to know about that, Click This

Dismissal Response:

 
Bug Approval:

 
Bounty Details:

 

Before going into Bug Explanation, Just think a second about this ???
How do you feel if anybody removed your photos from your facebook Profile which is having more likes & comments?

How do you feel if anybody removed important photos which you have tagged & Shared?

How do you feel if anybody removed your Suggested Posts?

Bug Details:
[#] Title:  Delete any Photo from Facebook by Exploiting Support Dashboard.
[#] Worth: 12,500$ (US Dollars)
[#] Status: Fixed
[#] Severity : Very High
[#] Author: Arul Kumar.V
[#] Email: vulnerable2arul@gmail.com

Description:
The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week.

Mainly this Flaw exists on Mobile domain.In Support Dashboard,If any reported photo was not removed by facebook team,user has the other option to send Photo Removal Request to owner via messages.If users sends a claim message,Facebook Server Will automatically generate Photo removal Link & it will send to the Owner.If Owner clicks that link,Photo will be removed.

This flaw exists while sending message.I can manually modify Photo_id & Owners Profile_id so that I can able to receive any photo removal link to my inbox.It would be done without any user’s Interaction.And also Facebook will not notify owner if his photo was removed.

Impact of this Bug:
1)      We can remove any photo from verified real users & Pages such as
     Mark Zuckerberg,Eminem,Rihanna and so on.

2)      We can remove any Shared & Tagged photos.

3)      We can remove any User’s photo from his Status & Photo album.

4)      We can remove any photo from a Page,Group and so on.

5)      We can remove Photo from Suggested Post & also from Comments.

Requirements:
These are the things that we need to exploit this bug:

1)       We need two Facebook accounts to delete anyones Photo Permanently.
One account will act as "Sender" to send claim message.Another account will act as "Receiver" who receives Photo removal Link from sender.

2)      Before deleting a Photo,We should gathert photo_id (fbid) which we need to remove and also profile_id of receiver to receive Photo Removal message.

How this Exploit Works:




Steps to Reproduce:

1)      As I told before,You should have use two real accounts to exploit this.
Consider one as "sender" & another as "Receiver".Make sure both are logged in at same time.

2)      For every photo there is having "fbid" Value.Click a photo at anywhere in facebook such as status updates,pages,groups,etc.Then look at the URL, You can able to find Photo_id value & copy it (i.e) Just copy down numerical "fbid=" Value.

3)       After that we should gather "Profile_id" Value of receiver profile.You are using two facebook accounts. Choose one profile as receiver to receive Photo Removal Link.
By Using this http://graph.facebook.com/  you can find "profile_id" of receiver. Just copy down Numerical profile id of receiver profile. 

4)      So we have gathered two values:
         a)Photo_id  (Target Photo to remove without user’s interaction)
         b)Profile_id  (To receive Photo Removal Request from sender)
               
Vulnerable URL & Parameters: 

https://m.facebook.com/report/social/?phase=0&next_phase=8&pp={"first_dialog_phase": 8,"support_dashboard_item_id":396746693760717,"next":"\/settings\/support\/details\/?fbid=396746693760717","actions_to_take":"{\"send_message\":\"send_message\"}"}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID

Look at the URL You can able to find "cid" & "rid" Parameters at end.These are vulnerable parameters from which we can able to send Photo Removal Link of any photo to my receivers inbox by modifying value of "photo_id" & "profile_id". 

where,
    cid=  Photo_id (Just include your target photo’s Id value as "cid" input )
    rid=  Profile_id (You need to include receiver’s Profile ID as "rid" input )

After Including those values ,Press enter.Then If you click "Continue" Button Facebook will automatically send photo Removal Link to your Receiver Profile.From your Receiver Profile,You can able to remove photo which you have added in that Vulnerable Parameter.Now this Bug has been Fixed fully.

Video POC:
Kindly Watch this Video in HD  for Best  Quality.





Screenshots:


















Now this Bug has Been Fixed Fully :) Here is the Screenshot :)





"தமிழனால் முடியாதது எதுவுமில்லையென்று உரக்கச் சொல் இவ்வுலகிற்கு"

100 comments:

  1. Nice Research bro.. congrates

    ReplyDelete
  2. Lol, This is a fake bug, your a lammer go home.
    your giving infosec world a bad name

    ReplyDelete
    Replies
    1. @Anonymous : First of all, If you are the real man and real infosec lover. show your identity :p
      I know you are simply jealous of this post...Go head and eat a bowl of dicks to remove your fatty jealous.. :p

      Delete
    2. Your comment is so ironical :-)

      Delete
    3. @Prakhar Prasad : Yes! I'm always like this for fucking dumb ass jealous guys ;) :p
      b/w i hope ur not commented as annonymous (1st one) if ur, tel me let me fuck you in a better way...that u cant able to fuck any1 :p

      Delete
    4. Learn how to speak English, moron.

      Delete
  3. Awesome and inspiring for me to keep hunting for bugs like this :)

    ReplyDelete
    Replies
    1. Very Happy to Hear this :) Just Work Smart you can achieve many things.And also I got inspired by Many Bug Hunters :)

      Delete
  4. Great bug! How long did it take for them to give you reward and permission to post?

    ReplyDelete
    Replies
    1. Two Weeks :)And also It may take upto a month from facebook to receive response which depends upon the severity of bug.

      Delete
    2. Well, user takeover CSRF could be pretty severe :)...
      They fixed it in 2 hours, but I am still waiting reward and permission to post about that bug (for 3 weeks already)

      Delete
  5. what is the name of this firefox plugin???

    ReplyDelete
    Replies
    1. It's not an Plugin :) It's a Firefox Addon(Hackbar.

      Delete
  6. Niceeeeeeee !!!! White hat facebook

    ReplyDelete
  7. Niceeeeeeee !!!! White hat facebook

    ReplyDelete
  8. Awesome ! very glad that Indians are getting into Whitehat ;)

    ReplyDelete
    Replies
    1. Why not?
      India is having talented security Researchers which holds Second Place in Bounty Recipients.I hope that India will get first place soon.
      Read this Fully

      https://facebook.com/notes/facebook-security/an-update-on-our-bug-bounty-program/10151508163265766

      Delete
    2. Congrats Arul !

      Delete
  9. Awesome work Arul ! Well done.

    ReplyDelete
  10. What is the difference in the Mobile version that allowed this exploit?

    ReplyDelete
  11. my friend's aunt makes $67/hour on the internet. She has been without a job for ten months but last month her pay check was $21835 just working on the internet for a few hours. discover here big57.com

    ReplyDelete
    Replies
    1. Ask your aunt to invest Indian soccer :p

      Delete
  12. Good job man! I'm glad you got your bounty too! Your English is also improving! Keep it up!

    ReplyDelete
  13. great! 12,500 USD and USD vs INR is big so enjoy :)

    ReplyDelete
  14. Karthikeyan Sukumaran3 September 2013 01:10

    Excellent Hack Mr.Arul... keep going.....!!!!!!!

    ReplyDelete
  15. Great job!!! Keep up the good work... Read about ur work from here "http://techcrunch.com/2013/09/02/security-researcher-discovers-bug-that-would-let-hackers-delete-any-photo-off-facebook/"...

    ReplyDelete
  16. Chaitanya Bharat3 September 2013 02:55

    This comment has been removed by a blog administrator.

    ReplyDelete
  17. Wow !! Congratulations!!! Great work!! All the best for your other explorations.. :)

    ReplyDelete
  18. Good job Arul! Congratulations from Moscow :]

    ReplyDelete
  19. Good job arul... Proud to be an Indian... Your hack in Hackers News... All the best...

    https://news.ycombinator.com/item?id=6315507

    ReplyDelete
  20. Congratulations Arul. Well done. Quite inspiring.

    ReplyDelete
  21. How did you contact Facebook? I found a problem also.
    This is no joke.

    ReplyDelete
  22. தம்பி great pa... Keep it up.. Proud to be தமிழன்... :)

    ReplyDelete
    Replies
    1. வாழ்க தமிழ் :) நன்றி நண்பா :)

      Delete
  23. Great Work Arul ! Its amazing to see you discovering such a critical bug which otherwise would have been a potential impact for facebook users.

    I think they owe you more !!!

    Keep up the great work from India. :-)

    ReplyDelete
  24. Congrats Arun!
    Keep it up MaN..

    Admin911

    ReplyDelete
  25. One guy is posting pics of girls and abusing them..now i reported it to facebook and it says comment or photo wasn't remove..you can rather block him. Reported profile as it was operating under 3 names. their is a porn movie also in the timeline..but Facebook still says no adult content or fake profile.

    I wish i could have contacted you before the bug was fixed :(

    ReplyDelete
  26. Awesome.. Nice Trick.. Hats Off..

    ReplyDelete
  27. Tamil a? supera kandupidichaninge. Swiss

    ReplyDelete
  28. வாழ்த்துக்கள் நண்பா... பின்னிட்ட போ!!!!

    ReplyDelete
    Replies
    1. மிக்க நன்றி நண்பா :)

      Delete
  29. Good job Arul

    ReplyDelete
  30. song name =? thanks

    ReplyDelete
  31. very good job brother..வாழ்த்துக்கள்

    ReplyDelete
  32. Dang. Good work! I'd rather have cash than delete some poor sap's picture any day :)

    ReplyDelete
  33. Well done Great job:-)Congrats Arul.

    ReplyDelete
  34. Congrats Mate Nice Job

    wish that bug still work :D

    ReplyDelete
  35. Congrats arul

    By
    Srini

    ReplyDelete
  36. Lol,
    I contacted Facebook, and this is a fake report just to get popular,
    Your a lammer, and your just doing false publicity,

    Go and get a life kid.

    ReplyDelete
  37. http://www.tecmundo.com.br/facebook/44041-indiano-encontra-falha-critica-no-facebook-e-recebe-us-12-5-mil.htm?utm_source=facebook.com&utm_medium=referral&utm_campaign=imggrande

    report in Brazil

    Gratz!!!

    ReplyDelete
  38. The need to file a W8-BEN form? Are the payouts only available to non-US citizens?

    ReplyDelete
  39. Good work..You test the FB site manually or run some DB scripts?
    -Ashok

    ReplyDelete
  40. Hey you are done great Job! and expect same in future also!

    ReplyDelete
  41. @ Arul Kumar My Hearty Congrats for your Achievement :) take care hope will meet you Some day ^_^ , my best wishes for your future......

    ReplyDelete
  42. Good job Arul...Many many congratulations and m proud of an Indian like you...:)

    ReplyDelete
  43. Great job arul...

    Congrats to you.Instead of finding faults to others why don't you create a useful soft product to the society which may be helpful in many ways.It may be in the area of medicine,art,social and many.Choose for your comfort ,spend your leisure time ,do something.
    "தமிழனால் முடியாதது எதுவுமில்லையென்று உரக்கச் சொல் இவ்வுலகிற்கு".

    ReplyDelete
    Replies
    1. மிக்க நன்றி நண்பா :) வாழ்க தமிழ்

      Delete
  44. Awesommmeee.... Really Inspiring :)

    ReplyDelete
  45. வாழ்த்துக்கள் நண்பா :)

    ReplyDelete
    Replies
    1. நன்றி நண்பா :)

      Delete
  46. great friend i wish u all the best fro ur future..

    ReplyDelete
  47. Dude, congratulations did a good job, the Indians are very competent and has a promising future ahead, are evolving into the movies and now you do this, my congratulations here in Brazil.

    ReplyDelete
  48. நண்பரே வாழ்த்துக்கள்.

    ReplyDelete
  49. வாழ்த்துகள் அருள்...! திறமை இருப்பின் எதையும் சாதிக்கலாம். பிரபல சமூக வலைத்தளமான பேஸ்புக்கில் உள்ள குறையைக் கண்டுபிடித்ததோடு, அதைத் தெரிவித்துப் பாராட்டும் பணமும் பெற்றுக்கொண்டது பாராட்டுக்குரியது மட்டுமின்றி, ஒரு தமிழனாக பெருமைப்படக் கூடிய விடயமும் கூட..!!!

    தமிழென்று சொல்லி தலைநிமிர வைக்கும் விடயம் இது..!

    தொடர்ந்து இதுபோன்ற நல்ல வழியில் தங்களது பங்களிப்பை, சேவையை செய்யுங்கள்... என வாழ்த்துகிறேன். பகிர்விற்கு நன்றி..!!!

    ReplyDelete
    Replies
    1. நன்றி நண்பா :) தமிழனென்று சொல்லடா தலை நிமிர்ந்து நில்லடா

      Delete
  50. I found a bug and reported to Facebook they replied it's not a bug rather intentional feature . I replied to the mail explaining why it is a bug but I did not get any response. again I reported the same bug explaining why it is bug but no response this time. Do you have any idea if they can still send response it's 4 days past. Otherwise I will make this loophole public...

    ReplyDelete
    Replies
    1. Contact me . I will help you out :)
      www.facebook.com/yogeshmotiyani

      Delete
  51. Enna Solla....Appu Kalakkiteenga...Superu....

    ReplyDelete
  52. Good to see some college graduate is doing this great work. Keep it up buddy.

    ReplyDelete
  53. amazing for you Arul,i never get reward from facebook about my report some bug.

    ReplyDelete
  54. Way to go Arul Kumar! Your are making tamilnadu proud with ur work! Keep it up man! Cheers! En manamarndha Vazhthukal! :D

    ReplyDelete
  55. very nice and definitely a good job. Very happy that your efforts were recognized and given proper credits.

    ReplyDelete
  56. Awesum one bro...Keep gng on....U proved indians r best...so best of luck..

    ReplyDelete
  57. Oia face the people of Brazil speaks only you huhsuhsuhsu 'very good yet won a dindin You FUCK is' -' bem para voce que vai ajudar a sua familia etc. '-'

    ReplyDelete
  58. Hi Arul.
    Can you please give me the link where you sent the BUG to FB team.
    Thanks.

    ReplyDelete
    Replies
    1. Visit this http://facebook.com/whitehat/report

      Delete
  59. Simply amazing work you've done here mate. Keep up the good work!

    ReplyDelete
  60. Only security bug we have to report ya any kind of bug we can report ....
    please tell the procedure where i will report bug

    ReplyDelete
    Replies
    1. Yeah !! We have to report security Vulnerabilities which is main theme of bug bounty programs

      Delete
  61. This is very inspiring!
    Im gonna do this too!
    :)

    ReplyDelete
  62. <IMG SRC="javascript:alert('XSS');">

    ReplyDelete
  63. javascript:alert('You got persistent XSS, boy');

    ReplyDelete
  64. Waiting for More Write-ups from you !
    #bookmarked.

    ReplyDelete
  65. how to report a bug in facebook?

    ReplyDelete
    Replies
    1. Go to this link and submit urs bug :) facebook.com/whitehat/report

      Delete
  66. Dear .. Arul bro :) :-) .. you're rocked .. keep it up .. may God bless You °_° ^_^

    ReplyDelete
  67. if u played the Tamil national anthem instead of Hindustani it would have been nice

    ReplyDelete
  68. Hello there! I was wondering if you could guide me how you learned so much of ethical hacking. Could you give me some links to some video tutorials or some nice books for a complete beginner? I am just in class 12 but I have basic knowledge about html. Where should I start from?

    ReplyDelete
  69. dai mapla super da :-) congratuations da :-) papa great :-D

    ReplyDelete