Finding bugs on facebook was one of the biggest dream of my life. when i read this blog 2014 and later this in 2019. If you are not familiar about race condtion then read this blog. Before we jump into the issue, lets talk about my struggle, after reading those 2 blogs i decided to find bug on facebook. I was struggle with slow internet and electricity issue. at the same time i was analyzing 1000 of requests on my burp proxy history to understand what going on, after spending hard time of 15 days, finally i found my first valid issue on facebook.
Issue 1: Missing rate rimit at facebook developers individual verification.
Individual Verification is a process that allows facebook to gather information about user so they can verify your identity as a person as opposed to a business entity or organization. User can begin the verification process in the Verification section of the
App Dashboard > Settings > Basic panel, or the Individual Verification tab in your account’s Developer Settings panel.
POST /apps/async/individual_verification/send_contract/?email= HTTP/1.1 Host: developers.facebook.com User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:86.0) Gecko/20100101 Firefox/86.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://developers.facebook.com/settings/developer/indie-verification/ Content-Type: application/x-www-form-urlencoded Content-Length: 280 Origin: https://developers.facebook.com Connection: close Cookie: // User cookies
During testing the above workflow, I came across above described post request where endpoint
An attacker can send large amount of emails from facebook server to any e-mail account (Bug bounty platforms are not accept this type reports but facebook accepted because of verification endpoint)
16 May 2019 - Report submitted 23 May 2019 - Triage 5 June 2019 - Fixed and Patched 5 June 2019 - Bypass Sent 15 July 2019 - Issue resolved and Bounty Awarded $500 + $500
Issue 2: Missing rate rimit at facebook Business Verification .
Business Verification is a process that allows facebook to gather information about users and Business so we they verify your identity as a business entity. Apps that allow other Businesses to access their own data must be connected to a Business that has completed Business Verification. Until then, app users from other Businesses will be unable to grant these apps permissions and all features will be inactive.
Facebook Business is an application which allows a user to create a profile on facebook platform and provide an opportunity to promote their business in facebook platform. During my testing, i have found a missing rate limit issue on business verification where a user required to input a 5 digit code receiving via email.
POST /business_verification/challenge/verify/ HTTP/1.1 Host: business.facebook.com User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0 Accept: */* Accept-Language: en-US,en;q=0.5 Accept-Encoding: gzip, deflate Referer: https://business.facebook.com/settings/security/business_verification?business_id=xxxxxxxxxxxxxxx Content-Type: application/x-www-form-urlencoded Content-Length: 520 Connection: close Cookie: // User cookie submission_id=xxxxxxxxxxx&challenge_code=67890&challenge_type=email&indexed_id&__user=xxxxxxxxxxxxx&__a=1&__dyn=7xeUmFoO2CeCExUS2qq7E-8GAdyedKnFwn8eVEpyA5EK32q1oxy5Qdgdp98SmaDxW4E8U6ydwJyFEeo8p8-cx210wExuEixycx68w825ocEixWq1owvo7OqbwOzXwKzUeA9wRyUvyolyU6XximbDxeiUdo62iczErK2x0ZxzyGw8nz8a84q1UKh7wg8OqawywWg8oty88E4u2l2Utgvx-6U4a78K0AEbGg9ojwgEmy8eE&__req=y&__be=1&__pc=PHASED%3Abrands_pkg&dpr=1&__rev=1000997435&__s=%3Aen9sbg%3Axzvz6h&__hsi=6719306340508947313-0&fb_dtsg=AQFxSKvkuzNy%3AAQGIG2HsP1Ju&jazoest=22133
In above Post request
challenge_code was vulnerable parameter but while trying to brute-force the code, its generate three diffrent types of error messages but server not blocked my ip address. That time i had no idea what to do. I started playing with that request, first i removed some parameters one by one and try to brute-fore the challenge code, i failed each time, suddenly i remove parameter
__req=y&__be=1 from the request and noticed this time the error message was diffrent
You have enter the wrong code! please try again !. I immediately set a payload for 1000 request to server and found the error was same. I reported this issue to facebook and after 30 minutes,one member of security team reply with
nice catch and confirm the issue is valid.
An attacker can bypass email verification protection and can verify owner email, It may possible to create a fake business account with genuine email address of business owner.
30 July 2019 - Report submitted 30 July 2019 - Triage 15 April 2020 - Issue resolved and Bounty Awarded $2000