Facebook BugBounty  - Disclosing page members


Because of some privacy reasons, identity of page members (admins/mods/analysts) is kept secret by facebook and normal page visitors cannot find the details about these members. But back in July 2018, when I was hunting for bugs in Facebook, I found multiple ways to disclose members of a facebook page.

Disclosing post creators with 'Get Messages' feature

This feature named “Get Messages” is available on Facebook pages when uploading posts and stuff.

Get Messages feature

Mainly e-commerce and online shopping websites use this feature with one of their product so whenever a visitor wants to know more about that particular product, they can simply click on the “Send message” button. A post with this feature enabled looks something like the below screenshot.

A post with “Get messages” feature enabled

The bug here is, if we click on this “Send message button”, profile ID of the creator is leaked in one of the responses coming from host https://x-edge-chat.facebook.com which is not visible in general..

Inbox demo

.. but if we check burp suite logs, we can see that the ID of the creator is leaked.

Creator’s profile leaked

In the above screenshot, 100027117349417 is the ID of my test account.

Impact?

This particular bug is really easy to exploit and if an attacker needs to find the creator of a Facebook page, s/he can just go to the page, find posts with this feature enabled, click on send message button, check the logs and BOOM profile ID of the creator is disclosed.

Timeline

6th July 2018: Issue found and reported.

10th July 2018: First Reply by Facebook Security

11th July 2018: Issue triaged

27th July 2018: Issue fixed

4th Sep 2018: Bounty awarded *Nice bounty :P*


Disclosing the identity of people sending messages on the behalf of the page

When I was going through Burp Suite logs to report the above issue, I noticed this weird response too.

Unknown_response.png

I was pretty sure this was something else and could lead to another leak so I just saved this screenshot and decided to look into this issue later.

*Fast forward to 1 week later*

I tried to reproduce this issue by simply sending a message to the page as a normal visitor..

Sending message to a page as normal visitor

.. and replied from the page

Replying to the above visitor from page

As soon as I recieved this “Hello visitor” message, I checked Burp Suite logs and saw this exact same response like before.

Message senders’ profile leaked

Here, 100027405052940 is the profile ID of page member who replied “Hello visitor”. This means.. You send a message to a Facebook page, someone who has ability to read/reply messages replies to you and immediately his profile ID is leaked.

Impact?

Very very very easy to exploit. Anyone can just randomly send message to a facebook page, someone replies to that message and BOOM, their profile ID is leaked. ;)

Timeline

6th Jul 2018: Initial Discovery of bug

14th Jul 2018: Mystery behind the ‘leak’ found and reported

18th Jul 2018 3:37 AM: Issue triaged

18th Jul 2018 10:53 PM: Issue fixed

1st Aug 2018: Bounty awarded


T̶h̶a̶t̶’̶s̶ ̶a̶l̶l̶ ̶f̶o̶r̶ ̶2̶0̶1̶8̶.̶ ̶I̶ ̶h̶o̶p̶e̶ ̶t̶o̶ ̶d̶i̶v̶e̶ ̶m̶o̶r̶e̶ ̶i̶n̶t̶o̶ ̶F̶a̶c̶e̶b̶o̶o̶k̶ ̶B̶u̶g̶B̶o̶u̶n̶t̶y̶ ̶p̶r̶o̶g̶r̶a̶m̶ ̶i̶n̶ ̶2̶0̶1̶9̶ ̶❤

Thank you for reading this post. If you have any queries/suggestions, I’m available on Twitter :)

Happy Hacking!! .. until next time.

Comments

Popular posts from this blog

Adventures Into The MeowCorp Bug Bounty Program

Dropping root shell in a Crypto Exchange for Fun (and Profit?)

Expanding the attack surface with Shodan's lesser known filter