Binit Ghimire

Published On: 02 May 2020

$750

Adding anyone including non-friend and blocked people as co-host in personal event!

IDOR
Facebook | Web
Inclusion in the 2019 Thanks page
MEDIUM VALID

This IDOR vulnerability in the Facebook Events platform allowed an attacker profile to add anyone as co-host in his/her personal event including non-friends, non-friends-of-friends and people who have blocked him/her.

Description

When you are creating an event from your personal profile on Facebook, Facebook would ask you to select friends who you want to add as co-hosts for the event. For this vulnerability to be reproduced, you would have to select a friend as co-host and while submitting the request to Facebook, you would have to replace his/her profile ID with the profile ID of someone who is neither your friend, nor any of your friends-of-friends (i.e. either non-friends-of-friends or blocked people).

Impact

Taking an advantage of this vulnerability, an attacker would be able to add anyone including non-friends-of-friends and blocked people (people he/she has blocked and people who have blocked him/her) as co-host in his/her personal event on Facebook.




Reproduction Steps

Step
1

Login to User A's account on the web version of Facebook, and then visit https://www.facebook.com/events/

Step
2

Click on "Create Event" and select any of the options among private and public events.

Step
3

Select User A in Event Host drop-down list (if User A has pages, it will show drop-down list, otherwise it will show User A only, so in such case, no need to worry about selecting User A as it is selected by default).

Step
4

Fill up all the fields in any way you want, and in Co-hosts field, enter "User B" and select User B.

Step
5

Before clicking on the "Create" button, start intercepting on BurpSuite or OWASP ZAP or any other similar tools.

Step
6

Click on the "Create" button, and keep forwarding all the requests until you see a request which looks like this:

POST /ajax/create/event/submit/?title=[EventName]&description=[Description]&location=...&location_id=....&location_latlong[latitude]=...&location_latlong[longitude]=...&cover_focus[x]=0.5&cover_focus[y]=0.5&only_admins_can_post=true&post_approval_required=false&co_hosts[0]=1008&start_date=11%2F25%2F2019&start_time=7200&end_date=11%2F25%2F2019&end_time=18000&timezone=........ HTTP/1.1

Here, 1008 = User ID of User B

Step
7

Replace the value of co_hosts[0] parameter with the User ID of non-friend, i.e. User C (31337), and then forward the request. Now, the event will be created.

Step
8

When you click on "1 co-host pending", you will be able to see that User C has been successfully added as co-host in the event.

Step
9

Now, login to User C's account, and you will be able to see a notification telling "User A made you a host of his/her event [EventName]."

Exceptional Case

If User C has blocked User A, then also this works without any issue, but in that case, User C won't be able to see the event because of User A being blocked, however User A will see User C in pending co-host list.

SETUP

Requirements: 1. A PC with a web browser 2. An Internet connection, and no geographical restriction on the usage of Facebook 3. Three Facebook accounts; User A, User B and User C. User A = event host = User ID is 1337 User B = User A's friend, who has no role, but will be useful when selecting a co-host for the event so that it can intercepted = User ID is 1008 User C = totally unknown person to both User A and User B, and not friend with any of them = User ID is 31337

Timeline
.
Binit 25 Nov 2019

Submitted the vulnerability report On this date, I submitted the vulnerability report to Facebook.

.
Facebook 28 Nov 2019

Response from Facebook Someone from the Facebook Security Team requested for a little more information mentioning that he/she received an error while trying to reproduc ... See More

.
Binit 28 Nov 2019

My Response I responded back with the requested information and a Proof-of-Concept (PoC) video for the reproduction of the vulnerability.

.
Facebook 04 Dec 2019

Response from Facebook Someone from the Facebook Security Team requested me to provide the test account User IDs and their credentials used for the reproduction of the ... See More

.
Binit 04 Dec 2019

My Response I responded back with the requested information.

.
Facebook 07 Dec 2019

Response from Facebook Someone from the Facebook Security Team requested for more information regarding the vulnerability report.

.
Binit 07 Dec 2019

My Response I provided the requested information as a response to the report.

.
Facebook 10 Dec 2019

Response from Facebook Someone from the Facebook Security Team responded back with the exact error he/she received in the HTTP response of the modified request while tr ... See More

.
Binit 11 Dec 2019

My Response I responded back confirming that the vulnerability is still being reproduced on my side, and provided them a new Proof-of-Concept (PoC) video sho ... See More

.
Facebook 14 Dec 2019

Response from Facebook Someone from the Facebook Security Team asked a question to me regarding whether the victim was able to remove themselves as Co-host or not from ... See More

.
Binit 14 Dec 2019

My Response I responded back saying that the victim was unable to reject the request to be added as Co-host, and would be automatically visible to the public ... See More

.
Facebook 18 Dec 2019

Response from Facebook [REPRODUCED] Someone from the Facebook Security Team responded back saying that the information I provided in the last response would be helpful for the team ... See More

.
Binit 18 Dec 2019

My Response I responded back mentioning that I would be looking forward to answering further queries from the Facebook Security Team.

.
Facebook 18 Dec 2019

Response from Facebook [TRIAGED] Someone from the Facebook Security Team responded back with the information that they are sending the vulnerability report to the product team fo ... See More

.
Binit 18 Dec 2019

My Response I responded back saying that I would be looking forward to seeing what the product team had to say regarding the vulnerability report.

.
Binit 08 Jan 2020

My Response I requested the team to let me know if there is anything new regarding the vulnerability report.

.
Facebook 10 Jan 2020

Response from Facebook Someone from the Facebook Security Team responded back mentioning that they would notify me as soon as a change takes place regarding the vulnera ... See More

.
Binit 10 Jan 2020

My Response I responded back mentioning that I wold be looking forward to being notified about any changes that would take place regarding the vulnerability ... See More

.
Facebook 21 Jan 2020

Response from Facebook [PATCHED] Someone from the Facebook Security Team responded back mentioning that they have looked into the issue and believe that the vulnerability had bee ... See More

.
Facebook 24 Jan 2020

Response from Facebook [REWARDED] The Facebook Security Team responded back regarding the decision to award me a bounty of $750, and also stated a short description about the vuln ... See More

.
Binit 24 Jan 2020

My Response I responded back with a very long message, starting with my thanks given to the Facebook Security Team, then about sharing my happiness of being ... See More

.
Facebook 28 Jan 2020

Response from Facebook Someone from the Facebook Security Team responded back appreciating my response and kind words, and left a message regarding the name to be inclu ... See More

.
Binit 28 Jan 2020

My Response I responded back twice with a little more information regarding the name to be included in the Thanks page.

.
Facebook 06 Feb 2020

Response from Facebook Someone from the Facebook Security Team responded back stating that he/she has updated their hall of fame page as per my request.

.
Binit 06 Feb 2020

My Response I responded back stating about being able to see the inclusion of my name in the Thanks page of 2019.

VALID






Show All Images