Hacking Any Facebook Accounts using REST API

Stephen Sclafani , a Security Researcher, has discovered a critical security vulnerability in the Social Networking giant Facebook that allowed him to hack any facebook accounts.

Stephen just need your user ID, he can hack into your account and read private messages, view email addresses, create or delete notes, on top of that he can update status and upload photos and tag you friends,  on behalf you. 

"A misconfigured endpoint allowed legacy REST API calls to be made on behalf of any Facebook user using only their user ID" Stephen explained in his blog.

The Facebook REST API is said to be predecessor of Facebook’s current Graph API.  He managed to send request to server using this API such that it will update status on behalf of victim.


Stephen found this bug in April 23 and reported to Facebook.  After getting notification, Facebook permanently fixed the bug on April 30th. Facebook awarded $20,000 bounty to him for finding and reporting this bug.

Researcher gets $33,500 for Remote Code Execution Vulnerability in Facebook


Here comes a critical bug discovered in Facebook and biggest bounty ever paid by Facebook for reporting vulnerability in their website.

Reginaldo Silva, A Brazilian Hacker, has discovered a highly critical Remote Code Execution(RCE) vulnerability in the Facebook which could allowed attackers to read any files from the server.  It could also allowed attackers to run malicious code in the server.

In September 2012, he first discovered XML External Entity Expansion bug in the Drupal that handled OpenID.  OpenID is an open technology that allows users to authenticate to websites without having to create a new password.

He found similar bug affecting the Google's App Engine and Blogger.  However, it is not critical as he wasn't able to access the arbitrary file or open network connections, he received $500 reward from Google.

He found out plenty of other websites implementing OpenID are vulnerable to RCE. 

Recently, Silva learned that "facebook forgot password" page is also using OpenID provider to verify the identity of the user.  He managed to discover the XXE bug in Facebook that allowed him to read the "etc/passwd" file from the server.

"Since I didn't want to cause the wrong impressions, I decided I would report the bug right away, ask for permission to try to escalate it to a RCE and then work on it while it was being fixed." Silva wrote in his blog.

He thought it will take time to fix the bug.  However, the facebook security team responded quickly and fixed issue within 3.5 hours.

"I decided to tell the security team what I'd do to escalate my access and trust them to be honest when they tested to see if the attack I had in my mind worked or not. I'm glad I did that. After a few back and forth emails, the security team confirmed that my attack was sound and that I had indeed found a RCE affecting their servers." silva said.

He has been rewarded with a bounty of $33,500.

Arul Kumar discovered Open URL Redirection Bugs in facebook worth $1500

Arul Kumar, a bug hunter from TamilNadu,India who recently got $12,500 as bounty from Facebook, has today shared how he managed to identify multiple open url redirection vulnerabilities in Facebook.

He identified three open url redirection vulnerabilities in the facebook's dialogs, it could be exploitable to all users who are signed into facebook.

At first, facebook team rejected his finding because it needs some user interaction- users should click ok button in order to redirect the target website.

 

However, Arul managed to bypass it and redirect to the target website without user interaction. The facebook team accepted the vulnerability after bypassing the user interaction and offered $1500 bounty.

The list of vulnerable URL:
  • https://m.facebook.com/dialog/send?next=htp://google.com&error_ok=arul 
  • https://m.facebook.com/dialog/pagetab?next=htp://google.com&error_ok=arul 
  • https://m.facebook.com/dialog/apprequests?next=htp://google.com  &error_ok=arul

Facebook vulnerability allowed hackers to record video of user and post in his wall


A Cross Site Request Forgery(CSRF) vulnerability in Facebook allowed hackers to record video of target users and post in the victim's wall. The vulnerability was discovered by security researchers Aditya Gupta and Subho Halder, from XYSEC Team .

A malicious hacker could record trick a user to silently record his webcam video and publish it to his facebook wall, without the user even knowing about it.

In a youtube video, researcher demonstrate how an attacker could exploit this vulnerability in a Youtube video.

Four months after researcher notified facebook about the security flaw, facebook finally emailed them that their finding is eligible to receive a bug bounty of $2500, that will come as a Facebook WhiteHat Debit Card.

PoC: