[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Facebook Bug Bounty #33 - Bypass ID user to linked Phone Number Vulnerability

To: bugtraq@xxxxxxxxxxxxxxxxx, bugs@xxxxxxxxxxxxxxxxxxx
Subject: Facebook Bug Bounty #33 - Bypass ID user to linked Phone Number Vulnerability
From: Vulnerability Lab <research@xxxxxxxxxxxxxxxxxxxxx>
Date: Tue, 9 Aug 2016 09:19:53 +0200
Document Title:
===============
Facebook Bug Bounty #33 - Bypass ID user to linked Phone Number Vulnerability


References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1896


Release Date:
=============
2016-08-08


Vulnerability Laboratory ID (VL-ID):
====================================
1896


Common Vulnerability Scoring System:
====================================
3.5


Product & Service Introduction:
===============================
Facebook is a for-profit corporation and online social networking service based 
in Menlo Park, California, United States. The Facebook website was 
launched on February 4, 2004 by Mark Zuckerberg, along with fellow Harvard 
College students and roommates, Eduardo Saverin, Andrew McCollum, Dustin 
Moskovitz, and Chris Hughes. The founders had initially limited the website's 
membership to Harvard students; however, later they expanded it to 
higher education institutions in the Boston area, the Ivy League schools, and 
Stanford University. Facebook gradually added support for students 
at various other universities, and eventually to high school students as well. 
Since 2006, anyone age 13 and older has been allowed to become a 
registered user of Facebook, though variations exist in the minimum age 
requirement, depending on applicable local laws. The Facebook name comes 
from the face book directories often given to United States university 
students. After registering to use the site, users can create a user profile, 
add other users as `friends`, exchange messages, post status updates and 
photos, share videos, use various applications (apps), and receive 
notifications when others update their profiles. Additionally, users may join 
common-interest user groups organized by workplace, school, or other 
topics, and categorize their friends into lists such as `People From Work` or 
`Close Friends`. In groups, editors can pin posts to top. Additionally, 
users can complain about or block unpleasant people. Because of the large 
volume of data that users submit to the service, Facebook has come under 
scrutiny for their privacy policies. Facebook, Inc. held its initial public 
offering (IPO) in February 2012, and began selling stock to the public 
three months later, reaching an original peak market capitalization of $104 
billion. On July 13, 2015, Facebook became the fastest company in the 
Standard & Poor's 500 Index to reach a market cap of $250 billion. Facebook has 
more than 1.65 billion monthly active users as of March 31, 2016.

(Copy of the Homepage: https://en.wikipedia.org/wiki/Facebook )


Abstract Advisory Information:
==============================
Two independent vulnerability laboratory researchers discovered a bypass and 
validation vulnerability in the Facebook online service web-application & 
mobile api.



Vulnerability Disclosure Timeline:
==================================
2016-04-02: Researcher Notification & Coordination (SaifAllah benMassaoud & 
Zahid Mehmood)
2016-04-03: Vendor Notification (Facebook Whitehat Security Team)
2016-04-09: Vendor Response/Feedback (Facebook Whitehat Security Team)
2016-05-20: Vendor Fix/Patch (Facebook Developer Team)
2016-05-21: Security Acknowledgements (Facebook Whitehat Security Team - 
Bounty: 1500$)
2016-08-08: Public Disclosure (Vulnerability Laboratory)


Discovery Status:
=================
Published


Affected Product(s):
====================
Facebook
Product: Mobile Web Application (API) 2016 Q2


Exploitation Technique:
=======================
Remote


Severity Level:
===============
Medium


Technical Details & Description:
================================
The bypass user id web vulnerability has been discovered in the official 
Facebook online service web-application & mobile api.

The vulnerability allows remote attackers to determine which specific Facebook 
user ID is linked with a mobile phone number 
without secure approval. The vulnerability is located in the `ctx" and 
`recover` `lwv` parameters and `/login/identify` modules.
Attackers can setup the privacy settings, who can look me up using a phone 
number? Set it to Friends Only, the attacker is able 
to bypass that security approval to preview.

The security risk of the bypass user id vulnerability is estimated as medium 
with a cvss (common vulnerability scoring system) count of 3.5. 
Exploitation of the vulnerability allows an attacker to determine which 
specific facebook user ID is linked with the mobile phone number.

Vulnerable Module(s):
                                [+] /login/identify

Vulnerable Parameter(s):
                                [+] ctx
                                [+] recover
                                [+] lwv


Proof of Concept (PoC):
=======================
The  bypass user id issue can be exploited by remote attackers to determine 
which specific Facebook user ID is linked to a mobile phone number. 
For security demonstration or to reproduce the security vulnerability follow 
the provided information and steps below to continue.


Manual steps to reproduce the vulnerability ...
1.  Open the following url with ssl
Note: https://www.facebook.com/login/identify?ctx=recover&lwv=111
2. Type phone number in the box (Email, Phone, Username or Full Name)
Note: For example, i am attacking one of my test facebook IDs, where i turn on 
my privacy settings to `Who can look you up using the phone number you 
provided?`(Friends Only). 
No one can see my profile name etc ...  Type a number in the box (The facebook 
account you're attacking only has a mobile phone number added). In my case i 
used my test id and click on `Serach`
3. Now the attacker clicks to `No Longer have access to these?`
4. Type "New Email" Confirm "New Email"
5. Now `Fill in the form` with fake information and process to `Submit`
Note: You will receive a response from facebook to your email ibox that 
confirms the issue.


Solution - Fix & Patch:
=======================
The vulnerability was addressed by the facebook developer team during the 
updates 2016-05-20.


Security Risk:
==============
The security risk of the `./login/identify` bypass user id vulnerability is 
estimated as medium. (CVSS 3.5)


Credits & Authors:
==================
SaifAllah benMassaoud & Zahid Mehmood - ( 
http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud )


Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any 
warranty. Vulnerability Lab disclaims all warranties, either expressed or 
implied, 
including the warranties of merchantability and capability for a particular 
purpose. Vulnerability-Lab or its suppliers are not liable in any case of 
damage, 
including direct, indirect, incidental, consequential loss of business profits 
or special damages, even if Vulnerability-Lab or its suppliers have been 
advised 
of the possibility of such damages. Some states do not allow the exclusion or 
limitation of liability for consequential or incidental damages so the 
foregoing 
limitation may not apply. We do not approve or encourage anybody to break any 
licenses, policies, deface websites, hack into databases or trade with stolen 
data.

Domains:    www.vulnerability-lab.com           - www.vuln-lab.com              
                                - www.evolution-sec.com
Contact:    admin@xxxxxxxxxxxxxxxxxxxxx         - 
research@xxxxxxxxxxxxxxxxxxxxx                                - 
admin@xxxxxxxxxxxxxxxxx
Section:    magazine.vulnerability-lab.com      - 
vulnerability-lab.com/contact.php                             - 
evolution-sec.com/contact
Social:     twitter.com/vuln_lab                - facebook.com/VulnerabilityLab 
                                - youtube.com/user/vulnerability0lab
Feeds:      vulnerability-lab.com/rss/rss.php   - 
vulnerability-lab.com/rss/rss_upcoming.php                    - 
vulnerability-lab.com/rss/rss_news.php
Programs:   vulnerability-lab.com/submit.php    - 
vulnerability-lab.com/list-of-bug-bounty-programs.php         - 
vulnerability-lab.com/register.php

Any modified copy or reproduction, including partially usages, of this file 
requires authorization from Vulnerability Laboratory. Permission to 
electronically 
redistribute this alert in its unmodified form is granted. All other rights, 
including the use of other media, are reserved by Vulnerability-Lab Research 
Team or 
its suppliers. All pictures, texts, advisories, source code, videos and other 
information on this website is trademark of vulnerability-lab team & the 
specific 
authors or managers. To record, list, modify, use or edit our material contact 
(admin@ or research@xxxxxxxxxxxxxxxxxxxxx) to get a ask permission.

                                    Copyright © 2016 | Vulnerability Laboratory 
- [Evolution Security GmbH]™

-- 
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
Prev by Date: AirSnort v0.2.7 Stack Corruption DOS
Next by Date: FortiVoice v5.0 - Filter Bypass & Persistent Validation Vulnerability
Previous by thread: AirSnort v0.2.7 Stack Corruption DOS
Next by thread: FortiVoice v5.0 - Filter Bypass & Persistent Validation Vulnerability
Index(es):
- Date
- Thread