Facebook Simple Technical Bug worth 7500$

I don’t like writing much but since i have won some bounty from Facebook, i decided to write one.

My main intention was to get into Facebook whitehat list!

There are lot of security researchers around the world who are hunting for bugs ,so there was no point in hunting for bugs like XSS, CSRF etc but i kept reading different bug reports (Thanks to @phwd for his notes) and tried to learn different hacking methods.i reported few bugs in-between but they were rejected as some of them were low severity or duplicates(almost 2 of them and still they are not fixed).

Then i found some articles where Facebook paid bounty for some logical bugs or information disclosure bugs.So i started hunting for such bugs.

while testing i came across friendship page where i can replace both the ids and see anyone’s friendship but obviously page was displayed irrespective of whether they are friend or not!

so i had to find first if 2 people are friends or not.

https://www.facebook.com/id1?and=id2

I initially tested this on mobile site and later realized it works on desktop site as well.

but what was the bug here??

if you carefully see, there are year queries returned on the right side of the timeline.

now consider this example

your friend has applied privacy settings to his friend list . since you are his friend,you can see his timeline and read his few posts. you can easily recognize some of his friends. now you can easily guess that both of them are friends even if they both applied privacy settings to their friendlist.

so if you put their ids in https://www.facebook.com/id1?and=id2, you will able to see the friendship page but what interesting is year wise queries returned on the right side of the timeline. normally you will see year wise post but even if there are no posts, still the year queries are returned. so i found this vulnerable!

i tested against few ids and found that, they are actually returned from start of their friendship! example

if year queries returned are

2015

2014

2013

2012

so even if there are no posts between them in 2012, year would still appear there because they became friends in 2012!

Reported this to Facebook saying its a privacy issue which allows me to see their year of friendship but got rejected reply

2015-09-24 11_31_05-Support Inbox

I replied them back saying its not about friendlist privacy but knowing about friendship year.after few days , i opened my Facebook and had 2 replies from Facebook

2015-09-24 11_31_19-Support Inbox

and after few hours

2015-09-24 11_31_24-Support Inbox

at this point, i was little optimistic because i knew, they must have found something as they replied back again and i was waiting for their reply!

believe me , if they had not replied again, i too would have not replied them back either.but luckily they did and results are below!

after almost 10 days, when i opened my Facebook, i had this reply 🙂

2015-09-24 11_31_31-Support Inbox

Yes 7500$ bounty from Facebook!

This is very high amount for such kind of bug but i think they paid so much because of the logic and this was there since many years?

anyways huge thanks to Facebook team for the bounty!

 

July 28 2015- bug submitted

July 30 2015- got rejected reply from Facebook

July 31 2015- sent more clarification by me

Aug 14 2015 – again rejected by Facebook

Aug 14 2015- Facebook replied again saying they are investigating further

Aug 25 2015- Awarded by Facebook with 7500$ bounty

 

 

 

 

 

Leave a Comment