Hi Folks, This is the third part of A brief on Abusing Invitation Systems blog post, In case you have missed the previous parts of this story of write-ups, it is advised to have a sneak peak at the First & Second part before you go on with this post. So before we kick off to our case study let’s get a brief about some technical terms first, I am Ali Kabeel an Application Security Intern at Seekurity and let’s dive in…
So according to the Wikipedia, hot fixes are basically a small piece of code developed to correct a major software bug or fault and released as quickly as possible.Hot fixes are always intended to systems currently running and needs to be patched asap rather than systems under development.You can read extensively about that here.
Commits and Reverts (Rollbacks)
The term Commits and Reverts is usually used to refer to changes in codes that are done at a certain point in the code and then reverted to original. Sometimes commits are intentional if for example we tried out a piece of code which turned out to be buggy, other times reverts are just disastrous, if we for example reverted the fix of a critical security bug (our case).
Background about the bug…
Basically I would call this case study the Seventh bug in the series to trigger the same bug.
Back in 2016 I discovered that using a simple trick I could bypass the fix of Bug #2 using Bug #3 , to recap I was able to simply replicate a single email invite to allow multiple users to enter the group with the same invite which is a violation of privacy specially for secret/closed groups., the technique used in Bug #3 was rediscovered exactly in 2019 as explained in the case study section below.
Case Study (Facebook patches getting auto-reverted)… who knows?!
Just like every year, Facebook Hall of Fame is a target I always hunt so in earlier this January I was hunting Facebook for Logical bugs when suddenly I remembered my group invite bug. As a reminder from Seekurity Team member “Mohamed A. Baset”, I always test back my bugs few months later to check for reverts in the code, I started by testing the original bug of groups invitations which was as simple as once you have invite,load it into as many accounts as you want and all of them are allowed to join the group.The first attempt failed as this was not possible -However-, I noticed that when I load the invite into the account there exists two invites in the “Invited section” in the group. The first invite is associated with the email and the second one is associated with account I loaded the invite into.I had a strong suspect that the old bypass of moving email between accounts using following steps will work like a charm!
So basically the scenario is shaped in the following steps:
1. Get an invite link on email email@example.com.
2. Add this email to your account and confirm it.
3. Load invite link “ONLY LOADING” do not accept it.
4. Remove email and then log out.
5. Log into another account that you own.
6. Add the email firstname.lastname@example.org.
7. Load the invite link and accept the invite (first account added).
8. Log out and go to the first account that you loaded the invite into.
9. Go to the group link.
10. You will find the banner asking you to confirm or deny the invite.
11. Press confirm
12. BOOM account 2 added
13. Steps 3 to 5 can be repeated any number of times.
I tested and just as expected the bug worked like a charm and I was able to cool down Facebook Hot-patch of the bug for the seventh time ;), Once I identified the bug i prepared a report and sent it to Facebook, It took a total of 20 days for resolution and 10 more days for the bounty according to the following timeline:
Jan 8: Bug Reported
Jan 12: Bug Triaged
Jan 28: Bug Fixed
Feb 7: Bounty awarded and Facebook Hall of Fame 2019!
You can watch the Proof of Concept Video of the bug here:
Side notes on the bug…
-As we have seen through out the Series, Rigid as Facebook may seem as a Target for bug hunters checking previous bugs may come in handy to get a bypass or if you are lucky enough detect a revert in the code.
-Always retest your bugs on regular basis as the code is changing all the time and you never know when a revert may happen.
-If you are a developer, you should always make sure the bug fixes are well documented and tested after each code change.
-Important as Hot Fixes may seem, they should be accompanied by in depth fixes to ultimately resolve an issue from the root or it will just keep popping again.
I hope you have enjoyed reading this blog post and Stay tuned for the next one about Snapchat and the Multiple End-point dilemma.
Stay safe, till the next one
A minute if you please!
Building a website, API, an application or dealing with any kind of sensitive information? Anything related to the security and Safety of your business? Or already launched one without considering security? Worried about your personal security? Think twice before going public and let us protect your business!