Tuesday 23 July 2013

How I found my way into Instagram's Ganglia, and a bug with Facebook likes.

Hello,

I have recently taken part in Facebook Whitehat reward program, and here are some of my findings:

Access to Instagram's Ganglia:


The original report of this one is too short, so I will post how I got there.
I have read this old post from Facebook Bug Bounty official page:
Great! I'll just run some nmap scans and find something...
2 hours later....
Nothing.

After some sub-domain bruteforcing, I have found there is a Ganglia here: ganglia.instagram.com
Unfortunately, it is protected by basic HTTP auth.
At this point, I did not know what to do, and then it came to me: let me search the all-mighty Shodan for "Instagram.com".
On the second page:
Visit the IP address, and you get Instagram's Ganglia. 
There was also a reflected XSS on http://23.21.36.116/autorotation.php?view_name=<script>alert(2)</script>

This was reported on 22.4.2013, fixed "5 minutes later" according to Facebook security team, but I believe it was fixed between 23-28 April (I did not really check it).
Please, DO NOT test the IP; it is not Facebook's IP anymore. 


Facebook likes bug:


This bug is connected with Facebook likes and how Facebook managed them.
Visibility of likes is connected to visibility of objects (so, if objects is "Friends Only", likes are "Friends only" et cetera), and I have found a way to bypass that - that is, to get likes of the object.

So, whenever your friends like some object, you can check who liked it on following URL:

https://www.facebook.com/browse/likes?id=[[ID of object]].

Example for my profile picture:
Facebook did not check who was making this request, so anyone could view likes of an object. After my first report, Facebook team replied, saying "this is unexpected case, but they will look into it".
This was somewhere at end of December 2012.

Great! I should wait for the fix and payment.

Somewhere in June came the reply saying Facebook's security engineer would dig into this more. 

So I replied with better PoC, maybe they take it. 

Hi,

While likes may be public, this is really the easiest way to get list of at
least some friends of a certain profile.
For example, [[some profile]] has a totally closed profile.
[[Some profile]] does not allow public to see list of friends; you can check that here:
https://www.facebook.com/[[some profile]]/friends
Now, I go to [[some profile]]'s profile and get list of people who liked that
profile picture:
https://www.facebook.com/browse/likes?id=[[hidden]]
There is currently xx likes there, and they are friends.
Is there any way to get list of at least some friends, despite [[Some profile]]'s profile being pretty locked? I am pretty sure no APIs allow that without authorization.

The bug was fixed on 11.7.2013.

Engineers from Facebook told me it took that long to fix it because it was not a trivial change to make. I cannot believe how complicated some parts of Facebook are. 

I included this bug to show how even if bug is an "edge case" or "not an issue" first time, you can always try answering with a better PoC.

Also, I wanted to show what Facebook takes for "bugs" under privacy - so if you though some "design flaw" you found some time ago is not worth any reward, try reporting it. You might get surprised :)

Payments for these two bugs were quite much more than I expected. 

I have found more bugs, mostly in Facebook acquisitions or other Facebook websites. I will post few more bugs later during summer. 

Giant thanks to Facebook Security team for their efforts and generous rewards!
Also, thanks to Shodan for being a great tool!

2 comments:

  1. I've reported the first POC as well, before December 2012. Didn't got accepted. Sadly I did not tried to exploit in your way. Great find!

    ReplyDelete
    Replies
    1. Hmm... How did you prove them it is a vulnerability then?

      Also, thanks :)

      Delete

Note: only a member of this blog may post a comment.