Facebook Self XSS Vulnerability Hunted By Indian Security Researcher

 
Facebook Self XSS Vulnerability Hunted By Indian Security Researcher And Got Bug Bounty. Indian security researcher NB Sri Harsha whose found vulnerability in Facebook.. He shared his experience with us. 

"Lets Start , My First Bug

1) Logical Issue -> See The Posts Of A Friend Who Blocked You  (Date :- 25/6/13)

Affected url :-  https://www.facebook.com/ajax/pagelet/generic.php/ProfileTimelineSectionPagelet?-LH54I3QVfjO&no_script_path=1&data={"profile_id":VICTIM's PROFILE ID,"start":0,"end":1372661999,"query_type":36,"page_index":2,"section_container_id":"u_jsonp_10_b","section_pagelet_id":"pagelet_timeline_recent","unit_container_id":"u_jsonp_10_a","current_scrubber_key":"recent","time_cutoff":null,"buffer":500,"require_click":false,"showing_esc":false,"adjust_buffer":true,"tipld":{"sc":14,"rc":12},"num_visible_units":18,"remove_dupes":true}&__user=YOUR Profile ID &__a=1&__dyn=7n8ahyj35CFVVpQ9UmA4rw&__req=jsonp_12&__adt=12


Change Victim Profile id And You Profile Id in parameters profile_id and _user Respectively


-First They Said  Its Not A Valied Issue  :/
As I Didnt Send Valid Poc's , My Bug Was Rejected , But It Was Fixed Before The Patch

                                                            
                                                              After The Patch

                     
Second Bug --> Open Url Redirection (28/6/13)

Effected Url :- https://www.facebook.com/ajax/emu/end.php?eid=AQKyE9nWHd1QEzWMyiGzwkcveL0G7NqyhoKbIAvV7Wl1p0fZkIOo8IT2hMRtAZ_R42mbdqH6GIpwH-fphgOpnOVCEtVlO2dJ5QynThvc-5Ba-aZqRQjQZIJFm9Vh09UUYlvrfNLJiy5aqqqAZjSXg1b0LCRuvWXOO3aJyizt94wyxhS51nOqoiQH3QMZEXRrtPbYC5wLll6Tkao1JsGIqBEDCdjnU46WZKmce2NXNvEttdI1iHFRTnaphrs2ufLt1azhEA_dxc2WWVDuoJD-mZ0Y1Uc8itin9b9gDBUiHLO5kdC68R86WyFK24P-ugV00wwc2XsUbVvmV2ImoSnscbYhEbToPefwbhK3yfQesjs-Shx12so6TqB52LGTL9sS9e_Ycnzuahaac9vGlqUxZM1LflW7AWzsRpgZm6G2iEUjbLmDbYmyV9Lg_GPHTs7IFWTwbNIMHCjw8fqMp9uhs-ELGlF2C7uGeSlj9LLC9QBSvyRwfFd1wuUhYnMv6B_SyNPLjAY62v5MXuNzzDoBT2YbZIzyNsuycMMNbk68dcT08GupOdbPCJjpaWxMemfhfWy9hzSPXoz_VExQZvnJpbQKaX63O_ywbVV32imznFhgBvTrUKospOLxWehpmcvX797ZzNcQXrzILxWpyIq3kNs5FxSXmkBbTKd6tHGU_uWSuKtIVZFKMQ-aba7BiuumgUjdOa7JUg21XkAAJYU2UIAXf5Alc5zgG8DlAlFPH9GL8e9vjPmK2gRqiwrBiF0FdJdcA3tT1T0alworh8JzD0XO48LaLZgGGzi8-qDegz3Uni2814VzNVMl6J6-s8zgdB0TBusCHNHJK9TBXURk2y1i7_TqVYKcCJ1jpWwbRV4TWB2vJINIV6GwKaLb9grlrbVUsQb7gXbrJbj6vjD082qagJpGbfVFgNChDe6pOwgG7VL5E9VawsXRAiefomWk0HewP07FlZKO_RXFpC97Sc2MydoWMWOY8OJI94L3skwHV7O4BAC7xpYWQXlKaarRW1Hsu0mZuw3mqjp3v9PH-vBT0aJBROILe_NIAMzg0UYDltCcLF9aSMwYlNB9QGNXzuDpTv9XNYJhHqOb21GOgWyGN7OSrsVCMo2KyTxAYLzu_w&f=0&ui=6007560916538-id_51cc88975bf097744321182&en=1&a=0&sig=79912&__tn__=wv


It Redirects to to www2.gotomeeting.com. And This is Vuln This Now.

It Was A Partial Redirect , It Only Redirects With A Specific Website Intenstionally

3) Open Redirect In Parse (7/10/13)

Effected url :- http://link.parse.com/trk?t=2&mid=NzEzLVlGUS0wODQ6MDoxMDg3OjI2NjowOjEwNTA6NzoyNDI3Mjc3LTE6bnVsbA%3D%3D&&&http://igoogle.pk.

First I Thought It Was A Valid Issue , And I Was Waiting For Their Reply

One day on Feb 27

So I Started Targeting Acquisitions 

4) spaceport.io multiple bugs (8/10/13)

Link:- http://nbsriharsha.blogspot.in/2013/10/facebook-acquisition-spaceport-multiple.html

They Said It Was not an Affiliate of Facebook

5) Open Ftp in Facebook Server  (17/11/13)

yea i remember this day , when i posted this POC on facebook , everyone gone mad and started asking me How Did u Do that

The Effected site was >> mirror.facebook.net

Its Has A Anonymous FTP

I Didn't upload Anything To Test , But I Reported IT

I Messed Up ,

6)Logical Issue --> Bypass Friend List Privacy  (20/11/13)

Where a user sets as he only should he is friends , Not Others, If Anyone Tries To See , They Can Only Find Mutual Friends

Reproduction Instructions / Proof of Concept: 
Here I Am Going To Demonstrate  How This Works. Here I Have Used Two Accounts


1) N B Sri Harsha ( who have friend list privacy )

  https://www.facebook.com/nbLORDS

2) echo off (Test Account , Attacker )

  https://www.facebook.com/echo.off.54

Note :- Attacker Should Not Have Any Friends In His List

Now The attacker "Echo Off"  , Will Send Request To Victim " N B Sri Harsha  "

Now The Victim Accepts The Request  ,

As Per Privacy Settings  , While Attacker " Echo Off " Goes To Victims Profile  " N B Sri Harsha "  , He Sees No Friends  , Because There Is no mutual friend btw them

Now The Attacker Goes To This Profile  , And Clicks On Find Friends

Then Boom  , All  1000 Frinds Of  Victim " N B Sri Harsha " Will Be Visible In His  Find Friends

Note :- This Bug Only Works When The Attacker Doesnt Have Any Friends In His List !

BUT >.< , It Went Duplicate

7) Logical Issue --> Sending messages When Blocked (6/12/13)

POC :- https://www.youtube.com/watch?v=_ntvhFlwRcA

But This Also Went Duplicate :(

8) Logical issue --> Commenting on Posts When Blocked (18/12/13)

As U Have Seen The "Sending messages when blocked " video

i have used email service to send messages

same here too , U will Have Mails Regarding Someone commenting on ur profile

then u reply to that , then it will directly comment ,

But unfortunately This Also Went Duplicate :(

9) Bypassing " Next " parameter using a.php (23/12/13)

POC:- http://www.youtube.com/watch?v=84VCNiCoQsQ&feature=youtu.be

But unfortunately This Also Went Duplicate :(

After Many Duplicates , I Never Gave Up

It Was New Year , Everyone Was Celebrating But I Was Still On Finding Bugs

Facebook Introduced lookout , This Was Just a 5min video on whole year review

They Introduced a Third Party Site (facebookstories.com), To Share Other Stories , Reviews  ,So  I Started Hunting :D



Finally i found Self XSS in Facebook..
After 3 months ie march 14 2014  , The Bounty Was Approved  ,  They Rewarded Me 500$

Thats it  , Security Breached

~ Facebook ~

It Took 7 moths For Me Too Get in  Facebook Hall Of Fame :)"



Note: More info coming up after patch..

About The Author:
N B Sri Harsha,  He is much interested in new technology And programming and breaking web app security.