Sunday, 13 December 2015

[Responsible disclosure] How I could have removed all your Facebook notes

Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.


This blog post is about an Insecure direct object reference vulnerability in Facebook Notes using which attacker could have removed all your notes just by replacing his Note id with yours in note editing request. 

About Facebook Notes:

Facebook Notes are ways of writing entries about your life, your thoughts, or your all-time favorite songs and then sharing them with your Facebook friends. The beauty of Notes lies in the ability to blog without needing to distribute a web address to friends so that they can go check out your blog. Instead, your friends are connected to your Profile. Therefore, when you publish a Note, it appears in your News Feed.

Vulnerability description: 

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.


Vulnerable request:

POST /a/note.php?note_id=[victim’s note id]&publish&gfid=[attacker’s token]

fb_dtsg=[attacker’s token]&charset_test=&title=&body=&privacy=&=Publish&_dyn=&__user=[attacker’s userID]

Replacing note_id in the above request led to successful removal of note from victim's account. Note id can be seen by visiting victim's note and copying the id from the URL.

Video POC:


Note deletion from victim's account

Disclosure Timeline:

June 15, 2015 : Report sent to Facebook Security team
June 16, 2015 : Bug acknowledged by Facebook Security team
June 16, 2015 : Vulnerability Fixed
June 22, 2015  : Bounty of $2500 awarded by Facebook


  1. Reading works of white hat hackers really inspire me to work in the field of ethical hacking but how to proceed is the question that blocks my way :(

  2. Interesting and very good post. Reading posts like is really good time spending. I can advise best writing websites page , they are very interesting, and very good written.

  3. We are legitimate and reputable Government registered approved money
    lender, we offer personal loans, business loans, montage loans and all
    kinds of loan to individuals and company's with bad credit record or
    in need of money to pay bills, invest on business, at a very low
    interest rate of 2%. We give out fund between a range of 5,000.00Usd
    to the Maximum range of 50,000.000.00Usd. If you are interested in
    getting a loan, contact us now and fill out the loan application form
    below so that we can send you the loan terms and conditions for
    repayment of the loan.

    Below are the loan Applications:


    fill the application to the email bellow:

    We look forward to hear from you soon.


  4. Essay topics for high school students a major part of formal education. Essay is a writing document. Essay requires certain format and style for academic tasks. Lack of knowledge for writing an essay and important of assignment and the complexity of the subject are make a difficult situation of the student to complete it.

  5. I guess you must have enough free time to do all those things. I guess, that hacking is not the quickest thing in the world?

  6. You have made an awareness about Facebook notes and the disclosure policy. The author describes Insecure direct object reference vulnerability in Facebook Notes. His observation and findings help people to understand more about FB notes. Buy research proposal

  7. You have explained about Insecure direct object reference vulnerability in Facebook Notes very clearly. The beauty of Notes lies in the ability to blog without needing to distribute a web address to friends. Best essay writing service

  8. Hello everyone! If you require the service of a professional hacker to help track your partner's cell phone remotely, contact, he was excellent in helping me hack my husband's phone without physical contact.
    You can also reach him on
    +1 513-445-5445 , tell him Stacey referred you.

  9. My girlfriend is a big time cheat and I was able to confirm that through the help of

    I contacted him to help me hack into my girlfriend social media (Facebook,call log,imessage.Gmail and also whatsapp)
    and discovered she was SLEEPING WITH her so called best friend, now I am happy and single and ready to move on thanks to who did the hacking job for me.

    Contact him today for help and tell him John referred you to him..He would be willing to help you

    Please you don't have be worried he is quick and fast and reliable cause they have been tested and trusted.

  10. you shared informative article and i must say that billig sportssko will be very helpful for lots of people

  11. Your website items set aside everybody once more. I just what food was in ominous desire scarpedesport from a website read through undoubtedly one of a web logs whereby most people advocated some of these. The sole I just stumbled upon at is really solid. Regards!

  12. Welldone! It is an article that is not just helpful for me but lots of many could benefit from it. Allassignmenthelp is a platform which university students can use to get their assignment written by assignment help experts and can get a fabulous assignment paper. Assignment Help online

  13. You have just made it brother Generic Viagra thanking for all your efforts and dedication. Stay Helathy

  14. Hello,
    I was greatly fulfilled to find this site.I expected to thank you for this unprecedented read!! I without a doubt getting a charge out of each and every piece of it and I have you bookmarked to take a gander at new stuff you post.

    Generic Viagra for Men

  15. Very good. you are the winner. Do not forget update new information regularly. thank ! fnaf sister location


  16. Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog.
    run 3

  17. take a view at to find cool tips and articles on related topics

  18. Winter is the season of love definitely, definitely so. Because the weather does not have to make several of romantic things, telling each other things so sweet as this cold season. Winter that it is easy to fall in love than
    b612 , run 2 game , geometry dash 2.0 apk , snapchat , baixar musicas gratis

  19. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog. Real Delhi Call Girls

  20. My names are Jessica Switch from united states. Merry Christmas in advance friends, become rich today and take the risk of transforming your own life. Try and get a blank ATM card today from (MR TOM HOOPER) and be among the lucky ones who are benefiting from this cards. This PROGRAMMED blank ATM card is capable of hacking into any ATM machine, anywhere in the world. I got to know about this BLANK ATM CARD when I was searching for job online about a month ago.. It has really changed my life for good and now I can say I'm rich because am a living testimony. The least money I get in a day with this card is about $4,000. Every now and then I keeping pumping money into my account. Though is illegal, there is no risk of being caught, because it has been programmed in such a way that it is not traceable, it also has a technique that makes it impossible for the CCTV to detect you.. For details on how to get yours today, E-mail the hackers on ( ) or text him on +1 (914)-517-3229.

  21. This is the idea I need for my research paper writing! I was searching for something like that, reviews
    but it wasn't the thing I need. Thank you very much for this blog and posting

  22. I have visited your website.It is very interesting and impressive.Thanks for sharing with us such a brilliant article.I want to come again.Keep updated.
    Acer Promo codes

  23. Good information that provides enough knowledge to remove notes. I have made official page for my dissertation writing service and publishing notes there from last three years.

  24. Facebook notes are good option when you are essay writing services provider and have to provide information to your clients.

  25. Spot on with this write-up, I truly think this website needs much more consideration. I’ll probably be again to read much more, thanks for that info. obat untuk sakit punggung akibat gagal ginjal

  26. I was amazed by you. the way you create a website very thorough and good. This is very very impressive .
    Techsmith Camtasia coupons

  27. I studied little but i found what i need.I wanna thanks for this. web application development company

  28. The post you have made here is super and it include worthy information. I hope you will post more here for us to read. Web hosting in Lahore

  29. BE SMART AND BECOME RICH IN LESS THAN 3DAYS… Are you living a poor life,then here is the opportunity you have been waiting for. Get the new ATM BLACK CARD that can hack any ATM MACHINE and withdraw money from any account. The blank card is attached with a software you can access codes relevant for accessing any ATM MACHINE. You can be able to withdraw the sum of $2,0000 daily at maximum. You do not require anybody's account number before you can use it. Although you and I knows that its illegal,there is no risk using it. It has SPECIAL FEATURES, that makes the machine unable to detect this very card,and its transaction is can't be traced . You can use it anywhere in the world. With this card,reach the hackers via email address: or contact with this mobile number:+2348133261196.

  30. wow its good one to see this kind of information. - cool math games bloxorz

  31. Updated posted! I am so impressed about this and glad you’re learning process beneficial for others.

    call girls in delhi

  32. Thank you for the information you provide, it helped me a lot! it's great that I known this site! Can you sharing some updates on how you have made this powerful post!
    fb login

  33. Your blog posts are more interesting and impressive. I think there are many people like and visit it regularly, including me.I actually appreciate your own position and I will be sure to come back here.
    lucky patcher l l geometry dash l launcher l sonic dash l minecraft l temple run 2

  34. Stafford no-cosigner understudy advances speak to a fabulous approach to proceed with post-auxiliary instruction. They convey low loan fees and banks are adaptable with regards to reimbursement.Payday Loans San-diego

  35. You might need to consider searching out a specialist with involvement in crude land, since empty land is a ton like crude land and numerous ordinary operators may not be knowledgeable about it. Cash Advance Chula-vista

  36. Thus you may looses an incredible arrangement ashore. One choice is to consult for vender financing, terms for which are totally up to the dealer and the purchaser. car title loans near me chicago

  37. Hi there, I found your blog via Google while searching for such kinda informative post and your post looks very interesting for me

    Call girls in five star hotel

  38. Thank you for the information you provide, it helped me a lot! it's great that I known this site! Can you sharing some updates on how you have made this powerful post!
    wingsio |

  39. Hy friends, Great post and good websites me and my all friends realy like it. I share your post my other friends and other peoples. Thank you This post.

    android development course duration and fees
    Data Analytics Courses in Delhi
    big data training institute

  40. Clearly written and really useful. I am glad you took the time to post this because it was extremely helpful. obat radang usus

  41. I just glad to be here read this stuff, but now i need some more information thanks for share with us. Obat Ambeien