Facebook Awarded $3500 Bug Bounty For Finding Vulnerability On Event Cover Page
Facebook Awarded $3500 Bug Bounty For Finding Vulnerability on Event Cover Page
Security researcher 'Roy Castillo' discovered the vulnerability. He told HackersOnlineClub that this Vulnerability was allowed to remove and overwrite on the Facebook event cover page. And Facebook paid $3500 bounty to find this bug.
Roy explained in his Blog,
Overwriting/Removing Cover Photos on Facebook Event Pages:
[adsense size='1']
An Insecure Direct Object Reference vulnerability in Facebook Events using which attacker could have remove/overwrite your Event Cover Photo just by replacing his Event id with yours in Event editing request.
Vulnerability Description
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability attackers can bypass authorization and access resources in the system directly, for example database records or files.
[adsense size='3']
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks. Reference: OWASP
Steps to Reproduce
1. Create an Event, right click edit and inspect element
2. Change the event_id's values to victim's Event id so attacker can request to edit victim's Event
3. To Overwrite, upload new photo then save
4. To Remove, click the "x" then save
[adsense size='4']
Attacker successfully removed the cover photo without victim's knowledge
as well as overwrite the cover photo
Facebook Fixed this bug after reported. Now, you can only overwrite/remove your own cover.
Disclosure Timeline
[adsense size='4']
- Jan 11, 2016 - Report Sent
- Jan 13, 2016 - Escalation by Facebook
- Jan 14, 2016 - Patched by Facebook
- Jan 20, 2016 - Bounty Awarded by Facebook
Gloss