Thursday, 26 December 2013

How I got $2000 from Facebook



Hi,
I would like to share one of  Logical Bug in facebook groups. The bug I found was too simple to exploit but it had a great Impact.

[#] Title:  Logical bug on facebook group.
[#] Worth: $2000 USD
[#] Status: Fixed
[#] Severity : I don’t know :p
[#] Author: Manjesh S
[#] Twitter: @Manjesh24

Description:

If you are the admin of the group you can remove the users, add users, edit/delete posts etc..
But if you make a attacker admin then he also gets the same admin rights, The problem is you cannot remove the attacker from the group using this bug..

Now there are two cases: 
  1.     If attacker is just user. 
  2.    If attacker also has admin rights.

If attacker is just user he can post anything on the group and Admin cannot remove the attacker.

If attacker also has admin rights then he can do whatever he want on the group and admin cannot remove the attacker from the group and also admin cannot remove the admin rights which attacker is having – which means the attacker will be having admin rights forever and no one can remove the rights  :)
But the problem is, this bug was already fixed on facebook pc site :( : www.facebook.com
The great thing is it was not fixed on facebook mobile sites: m.facebook.com,touch.facebook.com etc.. and also official facebook mobile apps. :)

Impact of this Bug:
  1. Attacker in a group can see all the posts SECRETELY.
  2. If Attacker have admin rights, Attacker can EDIT or DELETE ANY posts without knowing to admin.
  3. If Attacker have admin rights, Attacker can REMOVE users from a group without knowing to admin.
  4. Even if admin found Attacker, He/She cant remove Attacker from the group or remove admin rights on mobile site and mobile apps..
  5. Attacker can invite more members, preserve the content in that Group, or shut down the Group if it's no longer needed.
  6. No Extra/Great knowledge is required - simple to Hack :p
         etc..

Requirements:
*We need to know who is admin of the group. That’s it!!
* Its not must but needed – Admin rights

Steps to Reproduce: 
  1.     Block the admin of the group :D  
  2.   That’s all!!

So assume that you are admin of a group and you gave admin rights to a User-A,
What happens when User-A blocks you is, you cannot remove the User-A from the group or remove the admin rights as the User-A wont be listed on members list.
Now the  User-A will be in a group forever with admin rights, and the you will never be able to remove User-A. The worst thing is if you go to group members list the User-A wont be listed, So as usual you think that User-A has left the group but secretly User-A can do all stuffs on the group without knowing to you :D :D
















But Bug was initially rejected :(








I didn’t expected this type of reply from fb.
They agree that the bug is either privacy or a security issue but both issues qualify for bug bounty program.
Strange thing is they are not asking for proof of bug instead needed a proof that I am eligible for bug bounty program. :o

What mistake I did : 
  • I didn’t sent them more impacts as I was hurry in reporting ( After many Duplicates I thought I must report it fastly).
  • I didn’t reported that the bug was also existed on official facebook mobile apps.

So this time I sent more proofs, But I don’t think these proofs are needed as the bug is self explanatory. I googled and found many impacts which I can add to my bug, and suddenly I found a great blog where a security researcher found the exact same bug like mine ;)
Wow!!! That’s what I was looking for..
http://marianodimartino.blogspot.in/2013/06/how-i-earned-5000-in-30-minutes.html [Post removed now]
Which is almost exactly same bug like mine for which he has got $5000.

I was sure that I wont get $5000, as bug which I reported was already fixed on facebook pc site, But I was sure that I am eligible for bug bounty.

Oops after adding these things I sent them mail asking “Why I am not eligible for bug bounty program?“

 Then got this reply from fb :
 







And finally got a positive reply after 1 month :







And Now listed on facebook whitehat : https://facebook.com/whitehat/thanks

Suggestion :
If you also got the same reply and bug got rejected from facebook,
Then first of all know why your bug got rejected, work on it and find more possible impacts which makes eligible to all conditions as listed on https://www.facebook.com/whitehat/
All the best :)


Feel free to comment here about this :)











Posted by at

1 comment:

Subscribe to: Post Comments (Atom)