Hey guys,
This is my another finding on facebook that got fixed within 7days of initial report.
I came across the bug when I requested a Copy Of my Facebook Data(DYI).
Extracted Copy of My Facebook Data.Then I navigated to photo section and found out that it was showing UPLOAD IP ADDRESS.So,where's the bug?
Actually the bug was in "SHARED ALBUM".
When a user upload photo in the shared album the UPLOAD IP ADDRESS is disclosed along with the photo.
So,How did I turned this bug to get other users IP address?Well it's too easy! :)
Steps to reproduce:
1:Create a Shared Photo Album.
2:Add the victim.
3:Let the victim upload a photo in Shared Photo Album.
4;Once the victim uploaded photo in Shared Photo Album request for A Copy Of Your Facebook Data.
5:Once your Copy of Facebook Data is prepared Download it and Extract and Navigate to your Shared Photo Album .
Now you'll see victim's IP Address along with his uploaded photo. :)
This bug also could've lead to phone number leakage.How?
Read this one by Inti De Ceukelaire
Timeline:
Monday, May 1, 2017 at 1:04am----Initial Report Sent.
Saturday, May 6, 2017 at 3:33am---Aaron informed me they'll insvestigate the issue.
Sunday, May 7, 2017 at 4:31am---Aaron informed me The Bug is Fixed.
Wednesday, May 17, 2017 at 5:41am:Bounty $1000 Awarded :)
This is my another finding on facebook that got fixed within 7days of initial report.
I came across the bug when I requested a Copy Of my Facebook Data(DYI).
Extracted Copy of My Facebook Data.Then I navigated to photo section and found out that it was showing UPLOAD IP ADDRESS.So,where's the bug?
Actually the bug was in "SHARED ALBUM".
When a user upload photo in the shared album the UPLOAD IP ADDRESS is disclosed along with the photo.
So,How did I turned this bug to get other users IP address?Well it's too easy! :)
Steps to reproduce:
1:Create a Shared Photo Album.
2:Add the victim.
3:Let the victim upload a photo in Shared Photo Album.
4;Once the victim uploaded photo in Shared Photo Album request for A Copy Of Your Facebook Data.
5:Once your Copy of Facebook Data is prepared Download it and Extract and Navigate to your Shared Photo Album .
Now you'll see victim's IP Address along with his uploaded photo. :)
This bug also could've lead to phone number leakage.How?
Read this one by Inti De Ceukelaire
Timeline:
Monday, May 1, 2017 at 1:04am----Initial Report Sent.
Saturday, May 6, 2017 at 3:33am---Aaron informed me they'll insvestigate the issue.
Sunday, May 7, 2017 at 4:31am---Aaron informed me The Bug is Fixed.
Wednesday, May 17, 2017 at 5:41am:Bounty $1000 Awarded :)
1500$
ReplyDeleteGot $1000 :) Thank you :)
DeleteNICE CATCH VAI
ReplyDeleteThis comment has been removed by the author.
ReplyDelete