Facebook BugBounty - Disclosing page members
Because of some privacy reasons, identity of page members (admins/mods/analysts) is kept secret by facebook and normal page visitors cannot find the details about these members. But back in July 2018, when I was hunting for bugs in Facebook, I found multiple ways to disclose members of a facebook page.
Disclosing post creators with 'Get Messages' feature
This feature named “Get Messages” is available on Facebook pages when uploading posts and stuff.
Mainly e-commerce and online shopping websites use this feature with one of their product so whenever a visitor wants to know more about that particular product, they can simply click on the “Send message” button. A post with this feature enabled looks something like the below screenshot.
The bug here is, if we click on this “Send message button”, profile ID of the creator is leaked in one of the responses coming from host https://x-edge-chat.facebook.com which is not visible in general..
.. but if we check burp suite logs, we can see that the ID of the creator is leaked.
In the above screenshot, 100027117349417 is the ID of my test account.
This particular bug is really easy to exploit and if an attacker needs to find the creator of a Facebook page, s/he can just go to the page, find posts with this feature enabled, click on send message button, check the logs and BOOM profile ID of the creator is disclosed.
6th July 2018: Issue found and reported.
10th July 2018: First Reply by Facebook Security
11th July 2018: Issue triaged
27th July 2018: Issue fixed
4th Sep 2018: Bounty awarded *Nice bounty :P*
Disclosing the identity of people sending messages on the behalf of the page
When I was going through Burp Suite logs to report the above issue, I noticed this weird response too.
I was pretty sure this was something else and could lead to another leak so I just saved this screenshot and decided to look into this issue later.
*Fast forward to 1 week later*
I tried to reproduce this issue by simply sending a message to the page as a normal visitor..
.. and replied from the page
As soon as I recieved this “Hello visitor” message, I checked Burp Suite logs and saw this exact same response like before.
Here, 100027405052940 is the profile ID of page member who replied “Hello visitor”. This means.. You send a message to a Facebook page, someone who has ability to read/reply messages replies to you and immediately his profile ID is leaked.
Very very very easy to exploit. Anyone can just randomly send message to a facebook page, someone replies to that message and BOOM, their profile ID is leaked. ;)
6th Jul 2018: Initial Discovery of bug
14th Jul 2018: Mystery behind the ‘leak’ found and reported
18th Jul 2018 3:37 AM: Issue triaged
18th Jul 2018 10:53 PM: Issue fixed
1st Aug 2018: Bounty awarded
T̶h̶a̶t̶’̶s̶ ̶a̶l̶l̶ ̶f̶o̶r̶ ̶2̶0̶1̶8̶.̶ ̶I̶ ̶h̶o̶p̶e̶ ̶t̶o̶ ̶d̶i̶v̶e̶ ̶m̶o̶r̶e̶ ̶i̶n̶t̶o̶ ̶F̶a̶c̶e̶b̶o̶o̶k̶ ̶B̶u̶g̶B̶o̶u̶n̶t̶y̶ ̶p̶r̶o̶g̶r̶a̶m̶ ̶i̶n̶ ̶2̶0̶1̶9̶ ̶❤
Thank you for reading this post. If you have any queries/suggestions, I’m available on Twitter :)
Happy Hacking!! .. until next time.