Sunday, September 01, 2013

Delete any Photo from Facebook by Exploiting Support Dashboard

Hi,
I would like to share one of Critical Bug in facebook which leads to delete any photo from facebook without user interaction. At first,Facebook Team Could not able to recognize this bug.So I have sent them Video Proof of Concept & I have clearly Explained this bug with the help of demo accounts.So Facebook team has recognized my bug after sending Video POC.Interesting Part is,In that Video I have Exploited Mark Zuckerberg's Photo from his Photo Album & I did not remove his photo.Now it has been fixed fully & Facebook has rewarded me 12,500$(US Dollars) for finding this Critical Bug.In 2013,This is second time I am going to receive bounty from facebook.Already Facebook has approved my 3 Open Redirectors which is eligible to get bounty of 1500$. 

Dismissal Response:

 
Bug Approval:

 
Bounty Details:

 

Before going into Bug Explanation, Just think a second about this ???
How do you feel if anybody removed your photos from your facebook Profile which is having more likes & comments?

How do you feel if anybody removed important photos which you have tagged & Shared?

How do you feel if anybody removed your Suggested Posts?

Bug Details:
[#] Title:  Delete any Photo from Facebook by Exploiting Support Dashboard.
[#] Worth: 12,500$ (US Dollars)
[#] Status: Fixed
[#] Severity : Very High
[#] Works on: Any Browser with any Version
[#] Author: Arul Kumar.V
[#] Email: vulnerable2arul@gmail.com

Description:
The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week.

Mainly this Flaw exists on Mobile domain.In Support Dashboard,If any reported photo was not removed by facebook team,user has the other option to send Photo Removal Request to owner via messages.If users sends a claim message,Facebook Server Will automatically generate Photo removal Link & it will send to the Owner.If Owner clicks that link,Photo will be removed.

This flaw exists while sending message.I can manually modify Photo_id & Owners Profile_idso that I can able to receive any photo removal link to my inbox.It would be done without any user’s Interaction.And also Facebook will not notify owner if his photo was removed.

Impact of this Bug:
1)      We can remove any photo from verified real users & Pages such as
     Mark Zuckerberg,Eminem,Rihanna and so on.

2)      We can remove any Shared & Tagged photos.

3)      We can remove any User’s photo from his Status & Photo album.

4)      We can remove any photo from a Page,Group and so on.

5)      We can remove Photo from Suggested Post & also from Comments.

Requirements:
These are the things that we need to exploit this bug:

1)       We need two Facebook accounts to delete anyones Photo Permanently.
One account will act as "Sender" to send claim message.Another account will act as"Receiver" who receives Photo removal Link from sender.

2)      Before deleting a Photo,We should gathert photo_id (fbid) which we need to remove and also profile_id of receiver to receive Photo Removal message.

How this Exploit Works:




Steps to Reproduce:

1)      As I told before,You should have use two real accounts to exploit this.
Consider one as "sender" & another as "Receiver".Make sure both are logged in at same time.

2)      For every photo there is having "fbid" Value.Click a photo at anywhere in facebook such as status updates,pages,groups,etc.Then look at the URL, You can able to find Photo_id value & copy it (i.e) Just copy down numerical "fbid=" Value.

3)       After that we should gather "Profile_id" Value of receiver profile.You are using two facebook accounts. Choose one profile as receiver to receive Photo Removal Link.
By Using this http://graph.facebook.com/  you can find "profile_id" of receiver. Just copy down Numerical profile id of receiver profile. 

4)      So we have gathered two values:
         a)Photo_id  (Target Photo to remove without user’s interaction)
         b)Profile_id  (To receive Photo Removal Request from sender)
               
Vulnerable URL & Parameters: 

https://m.facebook.com/report/social/?phase=0&next_phase=8&pp={"first_dialog_phase": 8,"support_dashboard_item_id":396746693760717,"next":"\/settings\/support\/details\/?fbid=396746693760717","actions_to_take":"{\"send_message\":\"send_message\"}"}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID

Look at the URL You can able to find "cid" & "rid" Parameters at end.These are vulnerable parameters from which we can able to send Photo Removal Link of any photo to my receivers inbox by modifying value of "photo_id" & "profile_id". 

where,
    cid=  Photo_id (Just include your target photo’s Id value as "cid" input )
    rid=  Profile_id (You need to include receiver’s Profile ID as "rid" input )

After Including those values ,Press enter.Then If you click "Continue" Button Facebook will automatically send photo Removal Link to your Receiver Profile.From your Receiver Profile,You can able to remove photo which you have added in that Vulnerable Parameter.Now this Bug has been Fixed fully.

Video POC:
Kindly Watch this Video in HD  for Best  Quality.





Screenshots:




 

 

 

 

 

 

 

Now this Bug has Been Fixed Fully :) Here is the Screenshot :)



No comments:

Post a Comment

Note: Only a member of this blog may post a comment.