Published On: 03 Jul 2019
Break saved option for other users in facebook - From N/A to valid bug
Other
Facebook | Web
---
LOW VALIDIn 2018 I found an issue in "Saved option" where I was able to break my saved item option, and because it was only effect on myself I didn't submit it to Facebook Sec. team cause it will be an N/A, it is something like you find a "Self XSS", In 2019 I found a way to make it valid bug using another option inside "Saved option", this option is called "Collection" for more details about "Saved option" and "Collection" see https://www.facebook.com/help/503872743411567?helpref=related
Description
In collection you can add your friends to it as "Contributors", so breaking your saved option will also break their saved option because they have a permission on your broken collection too. When you see this bug maybe you will consider it as "DOS" bug, but the best explanation for this kind of behavior were described by philippe harewood (PHWD) and I am quoting " the bug limits usability of certain users based on unhandled input (leading to errors in the app making it unresponsive)".
Impact
A malicious user could prevent users from seeing their saved items on https://www.facebook.com/saved/
Reproduction Steps
Step
1
(Attacker) will browse to his saved items on https://www.facebook.com/saved/, then will create new collection by going to ====> New Collection Option ===> type any name ===> Create.
Step
2
(Attacker) will add his friend (Victim) to his collection by going to https://www.facebook.com/saved/ ===> Then he Select on the Collection Name that he created ===> Add Contributors ===> Type (victim) name.
Step
3
(Attacker) will go to any random post and he will click on the 3 dots option ===> Save Post ===> See saved items ===> then will redirect him to https://www.facebook.com/saved/ ===> From the post that he saved it, he will click on "Add to a Collection" button===> Then he intercept the request with Burpsuite ===> Then he Select the collection name that he created before.
Step
4
(Attacker) will see a post request like below:
POST /save/list/mutate/ HTTP/1.1
Host: www.facebook.com
action=SAVE_IN_EXISTING_LIST&mechanism=add_to_list_button&surface=save_dashboard&list_id=111111&object_id=22222&__user= ......etc
Where list_id= refers to collection that the attacker created
and object_id= refers to the post that he saved it
(Attacker), will copy the value of "list_id=" then he will paste it on "object_id" value, so both of them will be the same value like below:
list_id=111111&object_id=111111
then he forward the request to the server,and will get 200 O.k response as below:
HTTP/1.1 200 OK
for (;;);{"__ar":1,"payload":null,"bootloadable":{},"ixData":{},"bxData":{},"gkxData":{},"qexData":{},"lid":"6685395404800457799"}
Step
5
Now when the (victim) browses to his saved items on https://www.facebook.com/saved/ he will not be able to see his saved items anymore, he will see the below message only:
"Sorry, something went wrong. We're working on getting this fixed as soon as we can"
Takeways:
* If you find N/A bug, don't report it just keep it, maybe one day you will find a way to make it valid one just like I did ;)
Videos