Dewanand Vishal

Dewanand Vishal

Security Researcher

© 2021

Dark Mode

Finding and exploiting race condition vulnerability on facebook server

Finding bugs on facebook was one of the biggest dream of my life. when i read this blog 2014 and later this in 2019. If you are not familiar about race condtion then read this blog. Before we jump into the issue, lets talk about my struggle, after reading those 2 blogs i decided to find bug on facebook. I was struggle with slow internet and electricity issue. at the same time i was analyzing 1000 of requests on my burp proxy history to understand what going on, after spending hard time of 15 days, finally i found my first valid issue on facebook.

Issue 1: Missing rate rimit at facebook developers individual verification.

Individual Verification is a process that allows facebook to gather information about user so they can verify your identity as a person as opposed to a business entity or organization. User can begin the verification process in the Verification section of the App Dashboard > Settings > Basic panel, or the Individual Verification tab in your account’s Developer Settings panel.

POST /apps/async/individual_verification/send_contract/?email= HTTP/1.1
Host: developers.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://developers.facebook.com/settings/developer/indie-verification/
Content-Type: application/x-www-form-urlencoded
Content-Length: 280
Origin: https://developers.facebook.com
Connection: close
Cookie: // User cookies

During testing the above workflow, I came across above described post request where endpoint email can control by an attacker, which was not blocking my ip address while submitting multiple requests on facebook server. I was successfully able to exploit this behaviour and reported this issue to facebook security team.

Impact

An attacker can send large amount of emails from facebook server to any e-mail account (Bug bounty platforms are not accept this type reports but facebook accepted because of verification endpoint)

Timeline

      16 May 2019 - Report submitted 
      23 May 2019 - Triage
      5 June 2019 - Fixed and Patched
      5 June 2019 - Bypass Sent
     15 July 2019 - Issue resolved and Bounty Awarded  $500 + $500

Issue 2: Missing rate rimit at facebook Business Verification .

Business Verification is a process that allows facebook to gather information about users and Business so we they verify your identity as a business entity. Apps that allow other Businesses to access their own data must be connected to a Business that has completed Business Verification. Until then, app users from other Businesses will be unable to grant these apps permissions and all features will be inactive.

Facebook Business is an application which allows a user to create a profile on facebook platform and provide an opportunity to promote their business in facebook platform. During my testing, i have found a missing rate limit issue on business verification where a user required to input a 5 digit code receiving via email.

POST /business_verification/challenge/verify/ HTTP/1.1
Host: business.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://business.facebook.com/settings/security/business_verification?business_id=xxxxxxxxxxxxxxx
Content-Type: application/x-www-form-urlencoded
Content-Length: 520
Connection: close
Cookie: // User cookie

submission_id=xxxxxxxxxxx&challenge_code=67890&challenge_type=email&indexed_id&__user=xxxxxxxxxxxxx&__a=1&__dyn=7xeUmFoO2CeCExUS2qq7E-8GAdyedKnFwn8eVEpyA5EK32q1oxy5Qdgdp98SmaDxW4E8U6ydwJyFEeo8p8-cx210wExuEixycx68w825ocEixWq1owvo7OqbwOzXwKzUeA9wRyUvyolyU6XximbDxeiUdo62iczErK2x0ZxzyGw8nz8a84q1UKh7wg8OqawywWg8oty88E4u2l2Utgvx-6U4a78K0AEbGg9ojwgEmy8eE&__req=y&__be=1&__pc=PHASED%3Abrands_pkg&dpr=1&__rev=1000997435&__s=%3Aen9sbg%3Axzvz6h&__hsi=6719306340508947313-0&fb_dtsg=AQFxSKvkuzNy%3AAQGIG2HsP1Ju&jazoest=22133

In above Post request challenge_code was vulnerable parameter but while trying to brute-force the code, its generate three diffrent types of error messages but server not blocked my ip address. That time i had no idea what to do. I started playing with that request, first i removed some parameters one by one and try to brute-fore the challenge code, i failed each time, suddenly i remove parameter __req=y&__be=1 from the request and noticed this time the error message was diffrent You have enter the wrong code! please try again !. I immediately set a payload for 1000 request to server and found the error was same. I reported this issue to facebook and after 30 minutes,one member of security team reply with nice catch and confirm the issue is valid.

Impact

An attacker can bypass email verification protection and can verify owner email, It may possible to create a fake business account with genuine email address of business owner.

Timeline

      30 July 2019 - Report submitted 
      30 July 2019 - Triage
      15 April 2020 - Issue resolved and Bounty Awarded  $2000