Hello Guys
After A Long Time I Started Blogging
And Now I Wanna Share my Experience With Facebook Bug Bounty
1) Logical Issue -> See The Posts Of A Friend Who Blocked You (Date :- 25/6/13)
After The Patch
Second Bug --> Open Url Redirection (28/6/13)
Effected Url :- https://www.facebook.com/ajax/
It Redirects to to www2.gotomeeting.com
And This is Vuln This Now
It Was A Partial Redirect , It Only Redirects With A Specific Website Intenstionally
3) Open Redirect In Parse (7/10/13)
effected url :- http://link.parse.com/trk?t=2&
First I Thought It Was A Valid Issue , And I Was Waiting For Their Reply
One day on Feb 27
4) spaceport.io multiple bugs (8/10/13)
link :- http://nbsriharsha.blogspot.in/2013/10/facebook-acquisition-spaceport-multiple.html
They Said It Was not an Affiliate of Facebook
5) Open Ftp in Facebook Server (17/11/13)
yea i remember this day , when i posted this POC on facebook ,
The Effected site was >> mirror.facebook.net
Its Has A Anonymous FTP
I Didnot upload Anything To Test , But I Reported IT
I Messed Up ,
6)Logical Issue --> Bypass Friend List Privacy (20/11/13)
Where a user sets as he only should he is friends , Not Others, If Anyone Tries To See , They Can Only Find Mutual Friends
Reproduction Instructions / Proof of Concept: Here I Am Going To Demonstrate How This Works
Here I Have Used Two Accounts
1) N B Sri Harsha ( who have friend list privacy )
url :- https://www.facebook.com/
2)echo off (Test Account , Attacker )
url :- https://www.facebook.com/echo.
Note :- Attacker Should Not Have Any Friends In His List
Now The attacker "Echo Off" , Will Send Request To Victim " N B Sri Harsha "
Now The Victim Accepts The Request ,
As Per Privacy Settings , While Attacker " Echo Off " Goes To Victims Profile " N B Sri Harsha " , He Sees No Friends , Because There Is no mutual friend btw them
Now The Attacker Goes To This Profile , And Clicks On Find Friends
Then Boom , All 1000 Frinds Of Victim " N B Sri Harsha " Will Be Visible In His Find Friends
Note :- This Bug Only Works When The Attacker Doesnt Have Any Friends In His List !
BUT >.< , It Went Duplicate
7) Logical Issue --> Sending messages When Blocked (6/12/13)
POC :- https://www.youtube.com/watch?
But This Also Went Duplicate :(
8) Logical issue --> Commenting on Posts When Blocked (18/12/13)
As U Have Seen The "Sending messages when blocked " video
i have used email service to send messages
same here too , U will Have Mails Regarding Someone commenting on ur profile
then u reply to that , then it will directly comment ,
But unfortunately This Also Went Duplicate :(
9) Bypassing " Next " parameter using a.php (23/12/13)
poc :- http://www.youtube.com/watch?
But unfortunately This Also Went Duplicate :(
After Many Duplicates , I Never Gave Up
It Was New Year , Everyone Was Celebrating But I Was Still On Finding Bugs
Facebook Introduced lookout , This Was Just a 5min video on whole year review
They Introduced a Third Party Site (facebookstories.com), To Share Other Stories , Reviews ,So I Started Hunting :D
10) XSS in facebookstories.com (1/1/14)
Reproduction Instructions / Proof of Concept: Firstly I Connected My FB With Facebookstories.com
And Clicked on " Share Your Story "
http://www.facebookstories.
In The Upload Section
Next Uploaded a Photo With Name "><img src=x onerror=prompt(1)>.jpg ,
I Got The XSS Popup , :)
This Was A Self XSS But By Gods Craze This Gave me A Grand Sucess
After 3 months ie march 14 2014 , The Bounty Was Approved , They Rewarded Me 500$
Thats it , Security Breached
.jpg)
It Took 7 moths For Me Too Get in Facebook Hall Of Fame :)
After A Long Time I Started Blogging
And Now I Wanna Share my Experience With Facebook Bug Bounty
Lets Start , My First Bug
1) Logical Issue -> See The Posts Of A Friend Who Blocked You (Date :- 25/6/13)
affected url :- https://www.facebook.com/ajax/
Change Victim Profile id And You Profile Id in parameters profile_id and _user Respectively
-First They Said Its Not A Valied Issue :/
As I Didnt Send Valid Poc's , My Bug Was Rejected , But It Was Fixed Before The Patch
Change Victim Profile id And You Profile Id in parameters profile_id and _user Respectively
-First They Said Its Not A Valied Issue :/
As I Didnt Send Valid Poc's , My Bug Was Rejected , But It Was Fixed Before The Patch
After The Patch
Second Bug --> Open Url Redirection (28/6/13)
Effected Url :- https://www.facebook.com/ajax/
It Redirects to to www2.gotomeeting.com
And This is Vuln This Now
It Was A Partial Redirect , It Only Redirects With A Specific Website Intenstionally
3) Open Redirect In Parse (7/10/13)
effected url :- http://link.parse.com/trk?t=2&
First I Thought It Was A Valid Issue , And I Was Waiting For Their Reply
One day on Feb 27
So I Started Targeting Acquisitions
4) spaceport.io multiple bugs (8/10/13)
link :- http://nbsriharsha.blogspot.in/2013/10/facebook-acquisition-spaceport-multiple.html
They Said It Was not an Affiliate of Facebook
5) Open Ftp in Facebook Server (17/11/13)
yea i remember this day , when i posted this POC on facebook ,
everyone gone mad and started asking me How Did u Do that
The Effected site was >> mirror.facebook.net
Its Has A Anonymous FTP
I Didnot upload Anything To Test , But I Reported IT
I Messed Up ,
6)Logical Issue --> Bypass Friend List Privacy (20/11/13)
Where a user sets as he only should he is friends , Not Others, If Anyone Tries To See , They Can Only Find Mutual Friends
Reproduction Instructions / Proof of Concept: Here I Am Going To Demonstrate How This Works
Here I Have Used Two Accounts
1) N B Sri Harsha ( who have friend list privacy )
url :- https://www.facebook.com/
2)echo off (Test Account , Attacker )
url :- https://www.facebook.com/echo.
Note :- Attacker Should Not Have Any Friends In His List
Now The attacker "Echo Off" , Will Send Request To Victim " N B Sri Harsha "
Now The Victim Accepts The Request ,
As Per Privacy Settings , While Attacker " Echo Off " Goes To Victims Profile " N B Sri Harsha " , He Sees No Friends , Because There Is no mutual friend btw them
Now The Attacker Goes To This Profile , And Clicks On Find Friends
Then Boom , All 1000 Frinds Of Victim " N B Sri Harsha " Will Be Visible In His Find Friends
BUT >.< , It Went Duplicate
7) Logical Issue --> Sending messages When Blocked (6/12/13)
POC :- https://www.youtube.com/watch?
But This Also Went Duplicate :(
8) Logical issue --> Commenting on Posts When Blocked (18/12/13)
As U Have Seen The "Sending messages when blocked " video
i have used email service to send messages
same here too , U will Have Mails Regarding Someone commenting on ur profile
then u reply to that , then it will directly comment ,
But unfortunately This Also Went Duplicate :(
9) Bypassing " Next " parameter using a.php (23/12/13)
poc :- http://www.youtube.com/watch?
But unfortunately This Also Went Duplicate :(
After Many Duplicates , I Never Gave Up
It Was New Year , Everyone Was Celebrating But I Was Still On Finding Bugs
Facebook Introduced lookout , This Was Just a 5min video on whole year review
They Introduced a Third Party Site (facebookstories.com), To Share Other Stories , Reviews ,So I Started Hunting :D
10) XSS in facebookstories.com (1/1/14)
Reproduction Instructions / Proof of Concept: Firstly I Connected My FB With Facebookstories.com
And Clicked on " Share Your Story "
http://www.facebookstories.
In The Upload Section
Next Uploaded a Photo With Name "><img src=x onerror=prompt(1)>.jpg ,
I Got The XSS Popup , :)
This Was A Self XSS But By Gods Craze This Gave me A Grand Sucess
After 3 months ie march 14 2014 , The Bounty Was Approved , They Rewarded Me 500$
Thats it , Security Breached
.jpg)
~ Facebook ~
It Took 7 moths For Me Too Get in Facebook Hall Of Fame :)
:3 congo :3
ReplyDeleteKadaK ! :D
ReplyDeleteThank You Guys @Sandeep @Sallok :)
ReplyDelete^_^ .. awesome
ReplyDeletethanks :)
Delete(y) congo buddy :P
ReplyDeletethanks :)
DeleteThis comment has been removed by the author.
ReplyDeletebro i have a question please
ReplyDeletehow did you uploaded a photo with this name : ">< img src=x onerror=prompt(1)> !!!
it's impossible to put this character ( / \ " > < ... ) in photo name :o
Try it in linux :)
Deleteu can do that in linux os as windows blocks
ReplyDeleteAwesome bro :) Great Findings :)
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteWise thought, Good luck :)
ReplyDeleteSeriously , now whenever i will think of giving up i will go remember this post and start working again :D
ReplyDelete
ReplyDelete