Twitter.com XSS!!

If you don’t know, twitter.com allows you to create Direct Messages between many twitter users also besides one to one. As a creator of DM group, you can change the name of this group anytime you want.

However,there is a limitation for renaming this group.You can only use 15 characters to rename this group, so finding a payload which fits 15 characters was challenging to have any possibility of finding XSS but thanks to hackerone old reports from twitter where one of the report had those 15 characters payload <script>alert(1);//

So whenever you/other users share anything in this group using recent conversation groups, you will see a xss popup.

The bug was fixed by twitter.com and awarded me with decent bounty but i expected a little bit more as it was in main twitter.com domain.

See POC here https://youtu.be/P2Ram2FBAS4

Report here  https://hackerone.com/reports/129436

 

Find Birth Year of Your Friends in Facebook

This is one of my finding in Facebook which i want to share with you all.

While searching for bugs on Facebook, i came to know that you cant post anything beyond your birth date. ie if your birth date is 01/01/1970, you cant publish a post on 31/12/1969. So i started playing with this.

suddenly i realised ,if i cant post anything beyond my birth date, that means even my friends wont be able to post beyond their birth date as well. So i created one post and tagged my friend and set date to something around 1970(example) and published a post. I checked my friends timeline and no year appeared on the right side of the timeline( you see year queries on timeline on right side). so i again edited the same post and changed the year to 1971. again it did not appear on timeline. I did this several times (decrementing the year one by one ) and suddenly the year appeared on timeline.

After testing for a while, I realised, the year which is printed on timeline is 1 year less than birth year of my friend. i.e if your friend birth year is 1989,  you will see 1990 year printed on timeline. you wont see 1989.

This should work for friends who are younger than you as you cant post beyond your own birth date. if you want to find out the birth year of elder friends, you can just adjust your birth year for time being to something greater.

Reported this to Facebook but unfortunately i got the following response

facebook bounty1

 

Facebook Logout CSRF

In this post i am going to explain one of my finding in facebook ,the logout CSRF. Although logout CSRF are annoying, it is not considered as security vulnerability.

Facebook has the following link to unsubscribe emails .

https://www.facebook.com/o.php?k=a6d163&u=yourid&mid=606dcb7G517b252cG247fb31G5

“u” parameter is your own facebook user id. if you replace it with any other id, it will make you logout of facebook. So you can send this to any of your friend on facebook or infact anyone on facebook.So once they click on it, they will get logout without their intention! In this way you can annoy someone with this trick. you can use id 4 which is mark zuckerberg’s id which will be invalid for any other user 😉

so the final crafted url will be

https://www.facebook.com/o.php?k=a6d163&u=4&mid=606dcb7G517b252cG247fb31G5

 

 

Find Inactive/Deactivated profiles in Facebook

While searching for bugs on facebook, i came across one link where you can find deactivated facebook accounts.

The following link should work only to find your deactivated friends but it works for any profile on facebook.

https://www.facebook.com/ajax/friends/inactive/dialog?id=100000331676021&__user=1367024940&__a=1&__dyn&__req=1e&__rev=

 

Where “id” is the id of the victim(it can be any id of random facebook user)

and “_user” is your own facebook id

If it returns some js response, that means the profile has been deactivated. if you get blank screen , that means profile is active.

Reported this issue to Facebook but as expected, it doesn’t pose significant privacy/security risk

2015-10-14 10_13_33-Support Inbox

 

know year of Facebook joining of any person

If you see anyone’s Facebook timeline , you can see year wise posts are returned on the right side of his timeline.what if he has complete privacy setting to his timeline? still the year queries are returned even if there are no posts.

Example

2015

2014

2013

now you can easily guess that 2013 is the year when he joined the Facebook!

How to confirm this?

Consider one more person who has complete privacy to his profile whose timeline shows years later than first person

eg

2015

2014

 

Now after fixing my This issue, the friendship page returns year wise query of the person who joined earlier than other(if they have applied friend-list privacy).

i.e year wise query will be

2015

2014

2013

so this confirms the first person’s Facebook year of joining as both his timeline year query and friendship year query is same!

i reported this to Facebook but they didn’t find it severe enough to qualify for bounty.

2015-09-24 12_30_12-Support Inbox

Facebook Simple Technical Bug worth 7500$

I don’t like writing much but since i have won some bounty from Facebook, i decided to write one.

My main intention was to get into Facebook whitehat list!

There are lot of security researchers around the world who are hunting for bugs ,so there was no point in hunting for bugs like XSS, CSRF etc but i kept reading different bug reports (Thanks to @phwd for his notes) and tried to learn different hacking methods.i reported few bugs in-between but they were rejected as some of them were low severity or duplicates(almost 2 of them and still they are not fixed).

Then i found some articles where Facebook paid bounty for some logical bugs or information disclosure bugs.So i started hunting for such bugs.

while testing i came across friendship page where i can replace both the ids and see anyone’s friendship but obviously page was displayed irrespective of whether they are friend or not!

so i had to find first if 2 people are friends or not.

https://www.facebook.com/id1?and=id2

I initially tested this on mobile site and later realized it works on desktop site as well.

but what was the bug here??

if you carefully see, there are year queries returned on the right side of the timeline.

now consider this example

your friend has applied privacy settings to his friend list . since you are his friend,you can see his timeline and read his few posts. you can easily recognize some of his friends. now you can easily guess that both of them are friends even if they both applied privacy settings to their friendlist.

so if you put their ids in https://www.facebook.com/id1?and=id2, you will able to see the friendship page but what interesting is year wise queries returned on the right side of the timeline. normally you will see year wise post but even if there are no posts, still the year queries are returned. so i found this vulnerable!

i tested against few ids and found that, they are actually returned from start of their friendship! example

if year queries returned are

2015

2014

2013

2012

so even if there are no posts between them in 2012, year would still appear there because they became friends in 2012!

Reported this to Facebook saying its a privacy issue which allows me to see their year of friendship but got rejected reply

2015-09-24 11_31_05-Support Inbox

I replied them back saying its not about friendlist privacy but knowing about friendship year.after few days , i opened my Facebook and had 2 replies from Facebook

2015-09-24 11_31_19-Support Inbox

and after few hours

2015-09-24 11_31_24-Support Inbox

at this point, i was little optimistic because i knew, they must have found something as they replied back again and i was waiting for their reply!

believe me , if they had not replied again, i too would have not replied them back either.but luckily they did and results are below!

after almost 10 days, when i opened my Facebook, i had this reply 🙂

2015-09-24 11_31_31-Support Inbox

Yes 7500$ bounty from Facebook!

This is very high amount for such kind of bug but i think they paid so much because of the logic and this was there since many years?

anyways huge thanks to Facebook team for the bounty!

 

July 28 2015- bug submitted

July 30 2015- got rejected reply from Facebook

July 31 2015- sent more clarification by me

Aug 14 2015 – again rejected by Facebook

Aug 14 2015- Facebook replied again saying they are investigating further

Aug 25 2015- Awarded by Facebook with 7500$ bounty