Business Logic Vulnerabilities Series: A Story of a 4-Years-old (and counting) Facebook Security Bug!

Hi Guys,
I am Ali Kabeel an Application Security Intern at Seekurity team. This is Second part of A brief on Abusing Invitation Systems blog post . In this blog post I will be mainly focusing on how I was able “by following the tips and tricks in the previous blog post” to bypass Facebook fixes for 4 consecutive years.In case you are not familiar with concepts, take a sneak peak on the previous blog before continuing with this one ;).

Let’s continue from where we left off at Bug#3 here. Following the last bypass I started digging again with hope to bypass the fix or get a new idea to abuse the feature again.

Bug #4:

Facebook released new feature last year this was a tool for admins to clean groups from any unwanted invites this is named as “Delete all pending invites feature”, I decided to test that feature and after 8 hours of digging Boooom, the bug was found it was simply that when you remove a member of the group and try to use “Delete all pending invites feature” the invites sent by the member are not removed if the invite was loaded in browser using same trick in previous 3 bugs.

To sum up the steps of reproducing:

1. Member send invite to Dummy Account.

2.Dummy account loads invite.

3.Admin try to remove the Member and use the “Delete all pending invites feature”

4.Invites not deleted and can’t even be seen by admin. Simply an attacker can enter the group again.

Timeline:

Sep 27/2017:Bug reported.

Oct 3/2017:Duplicate.

Oct 6/2017:Not Duplicate 😀 (Proof sent to Fb that I reported the root cause of this bug in 2015 and it was rejected)

Nov 7/2017:Fixed with Bounty and Hall of Fame 2017 😉

PoC Video of this bug is here:

Bug #5:

Later in Dec 2017 following the fix of Bug#4 I decided to dig again, Same feature and different mentality. I figured out the Bug#4 was partially fixed. The invites are now seen by the admins if the Person used the trick we used in previous bugs (Loading invite link from email) although the invitation is visible the invites can’t be handled at all that being said, admin can see the invite but can’t remove it even by blocking the person :(. So it’s another booom here I found the bug was not fully fixed and I reported it and it got rejected xD. Yes you got my right, it got rejected nearly by half of facebook security and case was closed. Following this at 3 Feb 2018 I decided to re-submit the bug with a refined PoC and got a duplicate xD.

After clarifying the mess happening in this bug FB security team accepted the bug but only as 2017 submission and tried to fix it again. Apparently the bug was now fixed and admins can see and remove all invites in any states.

Timeline:

12 Dec 2017:Bug Submitted

12 Jan 2018:Bug closed and Fb saying “Security is not previewed through my view but their view”

3 Feb 2018: Bug resubmitted.

19 Feb 2018:Bug Triagged.

22 May 2018:Bug Fixed and Bounty.

PoC Video of this bug is here:

Bug #6(Final Round “who knows”):

Convinced that I can replicate the bug again and following bug #5 I was able to come up with a simple trick to bypass all the fixes and get the bug to work exactly like it did in the first time back in 2015 by blocking the person who invited you, YES, it is that simple once you block the person who invited you your invitation can’t be handled by admins and BOOOOM I can join the group again anytime and nobody can prevent that from happening.

That ended me up being listed in 2018’s Facebook Hall of Fame.

Timeline:

25 May 2018:Bug reported.

20 May 2018:Bug Triagged.

22 July 2018:Fixed and Bounty (Fb Hall of Fame 2018).

PoC Video of this bug is here:

 

What to conclude from all of these bypasses:

1.The most important is that however secure it may seem it can be bypassed.

2.Facebook,Google and All other big names in Bug bounty field make mistakes so if you are right and have a solid back grounded bug.NEVER back off.

3.Always retest your previous bugs and read all available write ups.

Thanks for reading!

.
.
.
Hey!
Building a website? Or already built a one? Think twice before going public and let us protect your business!

(Visited 556 times, 4 visits today)
Share