Kassem Bazzoun

Published On: 05 May 2019

Spoofing identity of user tagging someone in a video

Other
Facebook | Web
---
LOW VALID
Description

Attacker is able to impersonate users identity when the attacker tag his friends or ( friends of friend s ) on the victim videos . A wrong notification reached the user tagged , where this notification is sent on behalf of the owner of the video ( Victim ) . This attack took place when the attacker use the Business Manager Token an d make the tag using the GRAPH API

Show Image

Impact

Spoofing identity of user tagging someone in a video .




Reproduction Steps

Step
1

Stephen Uploaded a video on his Timeline ( public video )

Show Image

Step
2

Kassemthe attacker tagged his friend Sarmad on Stephen Video using a business token in theGraph API Explorer

Access Token : Business Manager Token  (436761779744620 : Business Manager)

POST RequestV3.2Vide_ID/tags(Stephen Video ID102576690882894).

Parameter :tag_uid (friendID that we wants to tag himIn our test - Sarmad account ID) .

Note:  Kassem(attacker) is able to tag on Stephen (victim) Video because the Video is public and Kassem and Stephen has at least 1 mutual friend

Show Image

Step
3

A notification reached Sarmad that Stephen(Victim) tagged him although Kassem(Attacker) is the tagger ( the notification is sent from the wrong user *from the owner of the video * )

Attacker have the permission to tag his friends on Victim videos although there is no relationship between the victim(owner ofthe video ) and the attacker friends( friends tagged by the attacker ) . 

Show Image

Result

Kassem impersonate Stephen Identity where Sarmad though that Stephen who tagged him although Kassem who makes this tag

Videos

Timeline
.
Kassem 10 Feb 2019

Initial Report

.
Facebook 13 Feb 2019

Pre-triage Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investigate.

.
Facebook 18 Feb 2019

Need more information We're having a hard time reproducing the issue described in your report. Please reply with reproduction instructions (images and video would be h ... See More

.
Kassem 19 Feb 2019

Sending additional information

.
Facebook 19 Feb 2019

Not able to reproduce Please see the attached screenshots showing the business manager token and the notification that's generated. Please let me know if you have any ... See More

.
Kassem 21 Feb 2019

found the issue when the Attacker and Victim are friends ( Kassem and stephen ) and then kassem tag sarmad , the notification will sent from the correct user and ... See More

.
Facebook 21 Mar 2019

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 05 Apr 2019

Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Kassem 05 Apr 2019

Confirmation

.
Facebook 03 May 2019

Bounty Awarded After reviewing this issue, we have decided to award you... . Below is an explanation of the bounty amount. Facebook fulfills its bounty awards t ... See More

VALID






Show All Images