Monday 8 February 2016

Facebook Awarded $3500 Bug Bounty For Finding Vulnerability on Event Cover Page

Facebook Awarded $3500 Bug Bounty For Finding Vulnerability on Event Cover Page

Facebook Awarded $3500 Bug Bounty For Finding Vulnerability on Event Cover Page

Security researcher 'Roy Castillo' discovered the vulnerability. He told HackersOnlineClub that this Vulnerability was allowed to remove and overwrite on the Facebook event cover page. And Facebook paid $3500 bounty to find this bug. 

Roy explained in his Blog,

Overwriting/Removing Cover Photos on Facebook Event Pages:

An Insecure Direct Object Reference vulnerability in Facebook Events using which attacker could have remove/overwrite your Event Cover Photo just by replacing his Event id with yours in Event editing request.

Vulnerability Description

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks. Reference: OWASP

Steps to Reproduce

1. Create an Event, right click edit and inspect element

2. Change the event_id's values to victim's Event id so attacker can request to edit victim's Event

3. To Overwrite, upload new photo then save
4. To Remove, click the "x" then save

Attacker successfully removed the cover photo without victim's knowledge

as well as overwrite the cover photo

Facebook Fixed this bug after reported.  Now, you can only overwrite/remove your own cover.

Disclosure Timeline

  • Jan 11, 2016 - Report Sent
  • Jan 13, 2016 - Escalation by Facebook
  • Jan 14, 2016 - Patched by Facebook
  • Jan 20, 2016 - Bounty Awarded by Facebook


Post a Comment

Note: only a member of this blog may post a comment.

Toggle Footer