Facebook Bug Bounty:Getting other users IP Address.

Hey guys,
This is my another finding on facebook that got fixed within 7days of initial report.

I came across the bug when I requested a Copy Of my Facebook Data(DYI).
Extracted Copy of My Facebook Data.Then I navigated to photo section and found out that it was showing UPLOAD IP ADDRESS.So,where's the bug?
Actually the bug was in "SHARED ALBUM".
When a user upload photo in the shared album the UPLOAD IP ADDRESS is disclosed along with the photo.
So,How did I turned this bug to get other users IP address?Well it's too easy! :)


Steps to reproduce:
1:Create a Shared Photo Album.
2:Add the victim.
3:Let the victim upload a photo in Shared Photo Album.
4;Once the victim uploaded photo in Shared Photo Album request for A Copy Of Your Facebook Data.
5:Once your Copy of Facebook Data is prepared Download it and Extract and Navigate to your Shared Photo Album .

Now you'll see victim's IP Address along with his uploaded photo. :)


This bug also could've lead to phone number leakage.How?
Read this one by Inti De Ceukelaire


Timeline:

Monday, May 1, 2017 at 1:04am----Initial Report Sent.



Saturday, May 6, 2017 at 3:33am---Aaron informed me they'll insvestigate the issue.




Sunday, May 7, 2017 at 4:31am---Aaron informed me The Bug is Fixed.




Wednesday, May 17, 2017 at 5:41am:Bounty $1000 Awarded :)

Comments

Post a Comment