Monday, February 8, 2016

Overwriting/Removing Cover Photos on Facebook Event Pages

This blog post is about an Insecure Direct Object Reference vulnerability in Facebook Events which an attacker could have remove/overwrite your Event Cover Photo just by replacing his Event id with yours in Event editing request.

Vulnerability Description

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files. 
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks. Reference: OWASP

Steps to Reproduce

1. Create an Event, right click edit and inspect element

2. Change the event_id's values to victim's Event id so attacker can request to edit victim's Event

3. To Overwrite, upload new photo then save
4. To Remove, click the "x" then save

Attacker successfully removed the cover photo without victim's knowledge 

as well as overwrite the cover photo 


Now, you can only overwrite/remove your own cover.

Disclosure Timeline

Jan 11, 2016 - Report Sent
Jan 13, 2016 - Escalation by Facebook
Jan 14, 2016 - Patched by Facebook
Jan 20, 2016 - Bounty Awarded by Facebook