Facebook Vulnerability – a “Cute Bug” that reveals the “likes” of deleted posts regardless of their privacy settings

facebook-content-banner-2
Hi Folks,
My name is Mohamed Abdel Aty, an Egyptian Web Developer & Bug Hunter, Today I would like to share with you a “cute” bug I found while doing some bug hunting in Facebook.

Testing different sub-domains is a common procedure in bug hunting , while searching the domain “mbasic.facebook.com” I noticed this link

https://mbasic.facebook.com/{POST_ID}/likes/?&cancel_uri=https://mbasic.facebook.com

This link is used to show the likes -Not reactions- of any certain post in Facebook, I was curious about this link and decided to dig a little deep.

After some tests changing the POST_ID to some values I noticed I can see the likes of some posts that I not supposed to see , for example if you changed the {POST_ID} to 1 you will get this result

image1

Knowing that Facebook posts are created in sequence and incremented – along with profile ID’s- I come to the conclusion that what we see here is most likely the people who liked the first post ever that was posted on Facebook , I was curious if this post had its privacy to public so I tried to access the post by entering the post id in the url .

http://www.facebook.com/1

this returned no results, so I was sure that I am viewing the “likes” of something that have a privacy options preventing me to see it.

Trying to reproduce this by creating a post with a limited privacy options and trying to see if I could see who liked it was not successful ,however I noticed that trying to see the likes of a post that have limited privacy from another account return “no results found.” Instead of empty page as I have noticed before for non-existing post ID’s

image2

I then had the idea that this could be used to determine if a certain post was deleted or had its privacy option set to limited audience by anyone.

To test this theory I created a post and set its privacy options to “only me” then opened the mentioned link with this post id from another test user to get a “no results found.”” And then returned to the first account and deleted the post and from the other account to see if I will get an empty result instead of “no results found.” But I was surprised to see this:

image3

I was able to clearly see who liked the deleted post, I tried to reproduce this couple of times with success then reported this to Facebook and their reply was that it have a time limitation and it is not possible to target a specific post with this, I tested the bug again and found that the time that it take Facebook to stop showing the likes of a deleted post is around 10-15 minutes , this time frame means that if you know the post id you can just set a server that visits the link every 10 minutes to check if the post was deleted and log the likes then , this is about 150 requests per day so you can even find a free cloud host that you can use for this, so an attack scenario could be like this

.

[*] The Attack Scenario:

1- A user post a public post.

2- An attacker obtains the post id and monitors the post.

4- The user decide to change the post privacy to a limited group of users who begin interacting with the post which include “liking ” the post.

5- The attacker checks the post using the link against the post id, from the reply [as mentioned a deleted post return different response from a post with privacy] and discover the post is private and not deleted.

6- The attacker set a server that check for the post likes using the link constantly, after sometime the user decide to delete the post so the attacker is able to identify the users who interacted with the post in the time its privacy was set to limited users.

.

[*] PoC Video: 

This attack scenario was also sent to Facebook security team but they insisted it was not a security issue, and was not fixed up until this was posted
.

image4

Then I asked for their permission to disclose the bug, they said that since it was not a security issue it would be ok.

image5

 

Thanks for reading, Till the next adventure!

.

Hey!
Building a website? Or already built a one? Think twice before going public and let us protect your business!

 

(Visited 1,027 times, 1 visits today)
Share
  • Anonymar

    cool story bro 🙂

  • Hidalgo Perez Francesco{{8*9}}

    Hi sir, how much did FB rewarded you? $5k? thanks!