Skip to main content

Delete any Photo from Facebook by Exploiting Support Dashboard

By
Hi,
I would like to share one of Critical Bug in facebook which leads to delete any photo from facebook without user interaction. At first,Facebook Team Could not able to recognize this bug.So I have sent them Video Proof of Concept & I have clearly Explained this bug with the help of demo accounts.So Facebook team has recognized my bug after sending Video POC.Interesting Part is,In that Video I have Exploited Mark Zuckerberg's Photo from his Photo Album & I did not remove his photo.Now it has been fixed fully & Facebook has rewarded me 12,500$(US Dollars) for finding this Critical Bug.In 2013,This is second time I am going to receive bounty from facebook.Already Facebook has approved my 3 Open Redirectors which is eligible to get bounty of 1500$. 

Dismissal Response:

 
Bug Approval:

 
Bounty Details:

 

Before going into Bug Explanation, Just think a second about this ???
How do you feel if anybody removed your photos from your facebook Profile which is having more likes & comments?

How do you feel if anybody removed important photos which you have tagged & Shared?

How do you feel if anybody removed your Suggested Posts?

Bug Details:
[#] Title:  Delete any Photo from Facebook by Exploiting Support Dashboard.
[#] Worth: 12,500$ (US Dollars)
[#] Status: Fixed
[#] Severity : Very High
[#] Works on: Any Browser with any Version
[#] Author: Arul Kumar.V
[#] Email: vulnerable2arul@gmail.com

Description:
The Support Dashboard is a portal designed to help you track the progress of the reports you make to Facebook. From your Support Dashboard, you can see if your report has been reviewed by Facebook employees who assess reports 24 hours a day, seven days a week.

Mainly this Flaw exists on Mobile domain.In Support Dashboard,If any reported photo was not removed by facebook team,user has the other option to send Photo Removal Request to owner via messages.If users sends a claim message,Facebook Server Will automatically generate Photo removal Link & it will send to the Owner.If Owner clicks that link,Photo will be removed.

This flaw exists while sending message.I can manually modify Photo_id & Owners Profile_idso that I can able to receive any photo removal link to my inbox.It would be done without any user’s Interaction.And also Facebook will not notify owner if his photo was removed.

Impact of this Bug:
1)      We can remove any photo from verified real users & Pages such as
     Mark Zuckerberg,Eminem,Rihanna and so on.

2)      We can remove any Shared & Tagged photos.

3)      We can remove any User’s photo from his Status & Photo album.

4)      We can remove any photo from a Page,Group and so on.

5)      We can remove Photo from Suggested Post & also from Comments.

Requirements:
These are the things that we need to exploit this bug:

1)       We need two Facebook accounts to delete anyones Photo Permanently.
One account will act as "Sender" to send claim message.Another account will act as"Receiver" who receives Photo removal Link from sender.

2)      Before deleting a Photo,We should gathert photo_id (fbid) which we need to remove and also profile_id of receiver to receive Photo Removal message.

How this Exploit Works:




Steps to Reproduce:

1)      As I told before,You should have use two real accounts to exploit this.
Consider one as "sender" & another as "Receiver".Make sure both are logged in at same time.

2)      For every photo there is having "fbid" Value.Click a photo at anywhere in facebook such as status updates,pages,groups,etc.Then look at the URL, You can able to find Photo_id value & copy it (i.e) Just copy down numerical "fbid=" Value.

3)       After that we should gather "Profile_id" Value of receiver profile.You are using two facebook accounts. Choose one profile as receiver to receive Photo Removal Link.
By Using this http://graph.facebook.com/  you can find "profile_id" of receiver. Just copy down Numerical profile id of receiver profile. 

4)      So we have gathered two values:
         a)Photo_id  (Target Photo to remove without user’s interaction)
         b)Profile_id  (To receive Photo Removal Request from sender)
               
Vulnerable URL & Parameters: 

https://m.facebook.com/report/social/?phase=0&next_phase=8&pp={"first_dialog_phase": 8,"support_dashboard_item_id":396746693760717,"next":"\/settings\/support\/details\/?fbid=396746693760717","actions_to_take":"{\"send_message\":\"send_message\"}"}&content_type=2&cid=PHOTO_ID&rid=PROFILE_ID

Look at the URL You can able to find "cid" & "rid" Parameters at end.These are vulnerable parameters from which we can able to send Photo Removal Link of any photo to my receivers inbox by modifying value of "photo_id" & "profile_id". 

where,
    cid=  Photo_id (Just include your target photo’s Id value as "cid" input )
    rid=  Profile_id (You need to include receiver’s Profile ID as "rid" input )

After Including those values ,Press enter.Then If you click "Continue" Button Facebook will automatically send photo Removal Link to your Receiver Profile.From your Receiver Profile,You can able to remove photo which you have added in that Vulnerable Parameter.Now this Bug has been Fixed fully.

Video POC:
Kindly Watch this Video in HD  for Best  Quality.





Screenshots:




 

 

 

 

 

 

 

Now this Bug has Been Fixed Fully :) Here is the Screenshot :)



Labels:

Comments

Post a Comment

Popular posts from this blog

How to Hack a Website in Four Easy Steps

By AS
Every wondered how Anonymous and other hacktivists manage to steal the data or crash the servers of websites belonging to some of the world biggest organisations? Thanks to freely available online tools, hacking is no long the  preserve of geeks , so we've decided to show you how easy it is to do, in just four easy steps. Step 1: Identify your target While  Anonymous  and other online hacktivists may choose their targets in order to protest against perceived wrong-doing, for a beginner wanting to get the taste of success with their first hack, the best thing to do is to identify a any website which has a vulnerability. Recently a hacker posted a list of 5,000 websites online which were vulnerable to attack. How did he/she identify these websites? Well, the key to creating a list of websites which are likely to be more open to attack, is to carry out a search for what is called a Google Dork. Google Dorking , also known as Google Hacking, enables you find sen
82 comments
Read more

How to Hack Facebook Password in 5 Ways

By AS
Check out the following post from  fonelovetz blog  on facebook account hacking. This is one of the most popular questions which I'm asked via my email.And today I'm going to solve this problem one it for all.Even though i have already written a few ways of hacking a facebook password.Looks like i got to tidy up the the stuff here.The first thing i want to tell is.You can not hack or crack a facebook password by a click of a button.That's totally impossible and if you find such tools on the internet then please don't waste your time by looking at them! They are all fake.Ok now let me tell you how to hack a facebook account. I'll be telling you 5 of the basic ways in which a beginner hacker would hack.They are: 1.Social Engineering 2.Keylogging 3.Reverting Password / Password Recovery Through Primary Email 4.Facebook Phishing Page/ Softwares 5.Stealers/RATS/Trojans I'll explain each of these one by one in brief.If you want to know more about them just
13 comments
Read more

How to Hack Someone's Cell Phone to Steal Their Pictures

By AS
Do you ever wonder how all these celebrities continue to have their private photos spread all over the internet? While celebrities' phones and computers are forever vulnerable to attacks, the common folk must also be wary. No matter how careful you think you were went you sent those "candid" photos to your ex, with a little effort and access to public information, your pictures can be snagged, too. Here's how. Cloud Storage Apple's iCloud service provides a hassle free way to store and transfer photos and other media across multiple devices. While the commercial exemplifies the G-rated community of iPhone users, there are a bunch of non-soccer moms that use their iPhones in a more..."free spirited" mindset. With Photo Stream enabled (requires OS X Lion or later, iOS 5 or later), pictures taken on your iPhone go to directly to your computer and/or tablet, all while being stored in the cloud. If you think the cloud is safe, just ask Gizmodo
1 comment
Read more

How to Hack Samsung Phone Screen Lock

By AS
I have discovered  another  security flaw in Samsung Android phones. It is possible to completely disable the lock screen and get access to any app - even when the phone is "securely" locked with a pattern, PIN, password, or face detection. Unlike another recently released flaw, this doesn't rely quite so heavily on ultra-precise timing. Video . Of course, if you are unable to download a screen unlocker, this security vulnerability still allows you to  dial any phone number and run any app ! HOWTO From the lock screen, hit the emergency call button. Dial a non-existent emergency services number - e.g. 0. Press the green dial icon. Dismiss the error message. Press the phone's back button. The app's screen will be briefly displayed. This is just about long enough to interact with the app. Using this, you can run and interact with any app / widget / settings menu. You can also use this to launch the dialler. From there, you can dial any phone
1 comment
Read more