Sunday, 13 December 2015

[Responsible disclosure] How I could have removed all your Facebook notes

Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.


This blog post is about an Insecure direct object reference vulnerability in Facebook Notes using which attacker could have removed all your notes just by replacing his Note id with yours in note editing request. 

About Facebook Notes:

Facebook Notes are ways of writing entries about your life, your thoughts, or your all-time favorite songs and then sharing them with your Facebook friends. The beauty of Notes lies in the ability to blog without needing to distribute a web address to friends so that they can go check out your blog. Instead, your friends are connected to your Profile. Therefore, when you publish a Note, it appears in your News Feed.

Vulnerability description: 

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.


Vulnerable request:

POST /a/note.php?note_id=[victim’s note id]&publish&gfid=[attacker’s token]

fb_dtsg=[attacker’s token]&charset_test=&title=&body=&privacy=&=Publish&_dyn=&__user=[attacker’s userID]

Replacing note_id in the above request led to successful removal of note from victim's account. Note id can be seen by visiting victim's note and copying the id from the URL.

Video POC:


Note deletion from victim's account

Disclosure Timeline:

June 15, 2015 : Report sent to Facebook Security team
June 16, 2015 : Bug acknowledged by Facebook Security team
June 16, 2015 : Vulnerability Fixed
June 22, 2015  : Bounty of $2500 awarded by Facebook


  1. Reading works of white hat hackers really inspire me to work in the field of ethical hacking but how to proceed is the question that blocks my way :(

  2. Interesting and very good post. Reading posts like is really good time spending. I can advise best writing websites page , they are very interesting, and very good written.

  3. We are legitimate and reputable Government registered approved money
    lender, we offer personal loans, business loans, montage loans and all
    kinds of loan to individuals and company's with bad credit record or
    in need of money to pay bills, invest on business, at a very low
    interest rate of 2%. We give out fund between a range of 5,000.00Usd
    to the Maximum range of 50,000.000.00Usd. If you are interested in
    getting a loan, contact us now and fill out the loan application form
    below so that we can send you the loan terms and conditions for
    repayment of the loan.

    Below are the loan Applications:


    fill the application to the email bellow:

    We look forward to hear from you soon.


  4. Essay topics for high school students a major part of formal education. Essay is a writing document. Essay requires certain format and style for academic tasks. Lack of knowledge for writing an essay and important of assignment and the complexity of the subject are make a difficult situation of the student to complete it.

  5. I guess you must have enough free time to do all those things. I guess, that hacking is not the quickest thing in the world?

  6. You have made an awareness about Facebook notes and the disclosure policy. The author describes Insecure direct object reference vulnerability in Facebook Notes. His observation and findings help people to understand more about FB notes. Buy research proposal

  7. You have explained about Insecure direct object reference vulnerability in Facebook Notes very clearly. The beauty of Notes lies in the ability to blog without needing to distribute a web address to friends. Best essay writing service

  8. Hello everyone! If you require the service of a professional hacker to help track your partner's cell phone remotely, contact, he was excellent in helping me hack my husband's phone without physical contact.
    You can also reach him on
    +1 513-445-5445 , tell him Stacey referred you.

  9. My girlfriend is a big time cheat and I was able to confirm that through the help of

    I contacted him to help me hack into my girlfriend social media (Facebook,call log,imessage.Gmail and also whatsapp)
    and discovered she was SLEEPING WITH her so called best friend, now I am happy and single and ready to move on thanks to who did the hacking job for me.

    Contact him today for help and tell him John referred you to him..He would be willing to help you

    Please you don't have be worried he is quick and fast and reliable cause they have been tested and trusted.

  10. you shared informative article and i must say that billig sportssko will be very helpful for lots of people

  11. Your website items set aside everybody once more. I just what food was in ominous desire scarpedesport from a website read through undoubtedly one of a web logs whereby most people advocated some of these. The sole I just stumbled upon at is really solid. Regards!

  12. Welldone! It is an article that is not just helpful for me but lots of many could benefit from it. Allassignmenthelp is a platform which university students can use to get their assignment written by assignment help experts and can get a fabulous assignment paper. Assignment Help online

  13. You have just made it brother Generic Viagra thanking for all your efforts and dedication. Stay Helathy

  14. Hello,
    I was greatly fulfilled to find this site.I expected to thank you for this unprecedented read!! I without a doubt getting a charge out of each and every piece of it and I have you bookmarked to take a gander at new stuff you post.

    Generic Viagra for Men

  15. Very good. you are the winner. Do not forget update new information regularly. thank ! fnaf sister location


  16. Really impressive post. I read it whole and going to share it with my social circules. I enjoyed your article and planning to rewrite it on my own blog.
    run 3