Monday, 13 July 2015

The easiest bug bounties I have ever won

The bugs I will write about are the simplest ones I have ever found on Facebook. The point of this blog is to show that some bugs can be found just by changing a username in URL.

Friend lists bug

The mobile website m.facebook.com has a year overview in which you can see how many friends your friend made, where they checked in, and so on. Clicking on "Made xx new friends" leads to the URL: 

https://m.facebook.com/username/year/2014/profile_lists/?factoid_type=friends_made

This will list every friend someone made in 2014. Changing the username would list the user's friends regardless of privacy settings on both accounts. This is basically an IDOR bug. 
Here is a screenshot from my testing account:


Most tagged with bug


The second bug is almost exactly the same as the first, and using it you could find someone's most tagged with person. This one also worked regardless of privacy settings. The URL was:
https://m.facebook.com/username/stories/2015/most_tagged_with/
There are few other of those "factoids" on the mobile website, but I did a couple of quick checks and none seemed to be vulnerable. Perhaps you can find something? :-)

Report timeline
April 29th, 2015  - Friend list bug submitted
April 29th, 2015  - Most-tagged-with bug added to ticket
April 29th, 2015  - Neal of Facebook's security team confirms these are valid bugs
April 30th, 2015  - Friend list bug is now fixed (<16 hours after initial report)
May 7th, 2015     - Most tagged with bug fixed
May 9th, 2015     - Combined bounty of $5500 awarded

As always, a huge thanks to Facebook for running their bug bounty program, quickly fixing bugs, and for the very generous award.