Hi Folks, Long time no see, it’s Seif Elsallamy, Remember me ? if not 🙁 you may go through my previous blogs Stored XSS in the heart of the Russian email provider giant (Mail.ru) , Rolling around and Bypassing Facebook’s Linkshim protection on iOS
Today I’m gonna show you a race condition bug which i recently fall in love with those kind of vulnerabilities especially in when it comes to Facebook also i want to mention that this bug is super simple to understand It’s not complicated, the only complicated part is how to test and finding it.
First thing first, What is Race condition ?
So a race condition is a flaw that produces an unexpected result when the timing of actions impact other actions. An example may be seen on a multithreaded application where actions are being performed on the same data. Race conditions, by their very nature, are difficult to test for.
As example we got a coupon code or a voucher that gonna give us $10 for shopping online. we enters this code multiple times very fast (before the coupon code expires in the server side) so instead of getting $10 we may get $20 or $30 maybe $100 depends on the server.
So I think the main reason for me to love this vulnerability is the unexpected results that may occurs.
I think that developers doesn’t consider Race Conditioning while building most of the applications, It’s really unexpected behavior/vulnerability.
Enough the Blah Blah Blah, show me some action… 😀
The Fuzz…The Bug..The Action…
On Facebook by creating a group conversations didn’t consider the race condition to occur results unexpected behaviour that may put some Facebook users at a risk which is “the ability to spy on a group conversations”
So by creating a group conversation invite some users to it choose one of the users that you invited speedily remove and re-add this user to the conversation multiple times (kind of a typical test for exploiting race condition bugs) this user will be invisible BUT can read write remove users and add also there is no “seen” sign after the user looks for chat inside the conversation.
So let’s imagine an attack scenario (in the era of the spies). Want a bed story? prepare your doll:
-We got 4 innocent users let’s choose a random names for them
Symbian, Ali, Hiram and Mahmoud
-So yesterday Symbian , Ali and Mahmoud were hanging out together.
-Symbian was whispering Ali then they both laughed very hard and Mahmoud was really upset and he keeps asking Symbian about what they laughed for but every time Mahmoud asking they both laugh again.
-So at night everyone drive to his home Mahmoud called Hiram complains about the thing that Symbian and Ali were laughing for.
-So Hiram told Mahmoud about a bug on Facebook to spy on group conversations and he told Mahmoud that he gonna add him to a group conversation with Symbian and Ali to spy on their chat.
-So Hiram opens up the computer added Symbian and Ali to a group conversation and then Added Mahmoud and Removed him speedily multiple times till he became invisible.
-Then Hiram sent “sorry I got some error on Facebook I’ll be back later” and left the conversation.
-Now Symbian and Ali are the only ones in this conversation
and Mahmoud is with them but he is invisible so he can spy on their chat to know what were they both laughing for.
– Then Symbian “typing…” and Mahmoud is really excited while he was watching the indicator of “typing…” then Symbian said “good night :D” and left the conversation then Ali left it too.
-Sorry Mahmoud hehe :D!
So this is the time that you allll weee waiting forrrrr!
The PoC Video!
The bug was responsibly reported to Facebook by @Seekurity team and we got a really satisfying reward, Thanks for Facebook team for keeping us safe.
Thank You too for reading this!!
A minute if you please!
Building a website, an application or any kind of business? Or already have one? Worried about your security? Think twice before going public and let us protect your business!