Overwriting/Removing Cover Photos on Facebook Event Pages

This blog post is about an Insecure Direct Object Reference vulnerability in Facebook Events which an attacker could have remove/overwrite your Event Cover Photo just by replacing his Event id with yours in Event editing request.

Vulnerability Description

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. 

Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks. Reference: OWASP

Steps to Reproduce

1. Create an Event, right click edit and inspect element

2. Change the event_id's values to victim's Event id so attacker can request to edit victim's Event

3. To Overwrite, upload new photo then save

4. To Remove, click the "x" then save

Attacker successfully removed the cover photo without victim's knowledge 

as well as overwrite the cover photo 

FIX

Now, you can only overwrite/remove your own cover.

Disclosure Timeline

Jan 11, 2016 - Report Sent

Jan 13, 2016 - Escalation by Facebook

Jan 14, 2016 - Patched by Facebook

Jan 20, 2016 - Bounty Awarded by Facebook

Google Mail Hacking - Stored XSS in GMail for iOS

Hi! Just want to share my finding, I have found Stored XSS Vulnerability in GMail for iOS. With no user interaction, enjoy ;-)

GMail for iOS contained an XSS vulnerability in its “Mail Attachment” feature. This bug was reported to Google Security Team, fixed immediately.

About

Title: Stored XSS in GMail for iOS
Business Risk: High
Discovery Date: October 8, 2013
Payload: <img src=x onerror=alert(0)>
Author: Roy Castillo (me)

Steps to Reproduce

1. Login to Google Analytics

2. Create an account and name it <img src=x onerror=alert(0)>

3. Go to Reporting -> Real Time -> Overview -> Email

4. Send an email to the victim GMail address.

5. Open your GMail for iOS
6. Open the received email.
7. XSSED

Stored XSS in GMail for iOS

The filename of the attachment was not escaped correctly and I was able to get the Stored XSS triggered. By using the generated report from Google Analytics I could inject script code that was executed on mail.google.com. The XSS is stored just simply reopen the mail anytime you want.

Google Security Team was pretty fast to address this issue and resolved this the next day itself. Google Security team awarded this bug with $5000.

Achievement unlocked: $5000 reward for XSS at google.com ;)

Thank you Google Security Team!

Disclosure Timeline

October 8, 2013 at 6:14 AM (GMT +08:00): Vulnerability Discovered

October 8, 2013 at 2:59 PM (GMT +08:00): Initial Report

October 8, 2013 at 2:59 PM (GMT +08:00): Autorespose from Security bot

October 9, 2013 at 12:17 AM (GMT +08:00): First response from Security Team

October 9, 2013 at 7:45 AM (GMT +08:00): Bounty Rewarded.

October 10, 2013: Vulnerability Fixed
October 12, 2013: Full Disclosure Published

Best,

Roy Castillo

How I Exposed your Primary Facebook Email Address (Bug worth $4500)

Hi, For this post, I’ll be talking about how I disclose the Private Primary Email Address of any Facebook Account. With no user interaction. Enjoy.


This bug was reported to Facebook Security Team, fixed immediately

Last month, I've found a vulnerability in Facebook Developer Application Roles Page which allowed me to disclose the primary Facebook email address even if the victim set the email address privacy to "Only Me"

Steps to Reproduce

1. Grab profile links of all facebook users from Facebook People Directory i.e http://www.facebook.com/directory/people/
2. Collect Numerical Facebook ID for each Profile from facebook Graph API i.e http://graph.facebook.com/sdfsdfsdafd.sdfdsafsdfds where extracted user ID is 100006240120652
3. Block victim Facebook Account
4. Create Facebook Application -> Go to Settings -> Developer Roles 
5. Final payload for this vulnerability looks like this:

https://developers.facebook.com/apps/APPLICATION_ID/roles?unverified_groups[1][0]=VICTIM_UID

Nevertheless, you can obtain multiple email address by adding more parameters


https://developers.facebook.com/apps/APPLICATION_ID/roles
?unverified_groups[1][0]=VICTIM_UID1
&unverified_groups[2][0]=VICTIM_UID2
&unverified_groups[3][0]=VICTIM_UID3
&unverified_groups[4][0]=VICTIM_UID4
&unverified_groups[5][0]=VICTIM_UID5
&unverified_groups[6][0]=VICTIM_UID6
&unverified_groups[7][0]=VICTIM_UID7
&unverified_groups[8][0]=VICTIM_UID8
&unverified_groups[9][0]=VICTIM_UID9
&unverified_groups[10][0]=VICTIM_UID10

and so forth...

Dumping Like a Boss ;)

Just reported this issue and one hour later Facebook Security Team responded my initial report

LoL! ;)

At exactly 8:26AM the vulnerability was finally fixed

Final fix: 5 hours after initial report


Facebook was pretty fast to address this issue and resolved this within hours. Facebook Security team awarded this bug with $4500.

Facebook WhiteHat Card, baby!

I appreciate the opportunity to preserve my skills and gain some more experience. Thank you Facebook security team.



Protip: Focus on your target, think creative, use your imagination, don't spend your time on attacks like reflected XSS etc. try to find something special ;)


Disclosure Timeline

June 25th, 2013 at 1:22AM (GMT +08:00): Vulnerability Discovered
June 28th, 2013 at 2:43AM (GMT +08:00): Initial Report
June 28th, 2013 at 2:44AM (GMT +08:00): Autorespose from Security bot
June 28th, 2013 at 3:41AM (GMT +08:00): First response from Security Team
June 28th, 2013 at 8:26AM (GMT +08:00): Vulnerability Fixed
July 6th, 2013 at 1:40AM (GMT +08:00): Confirmation of Rory that the vulnerability had been fixed
July 19th, 2013 at 1:08AM (GMT +08:00): Bounty awarded
July 21st, 2013 at 12:00NN (GMT +08:00): Full Disclosure Published


Save The Planet!