Majd Dhainy

Published On: 21 Nov 2019

Break the "Saved" tab for a targeted victim by placing two collections within each other

DoS
Facebook | Web
---
LOW VALID

The idea is to add two collections to each other, so the saved option breaks when trying to load, and since we can add contributors to collections, the impact goes beyond self DOS. Bypassing Sarmad Hassan's old bug, special thanks to him . https://bugreader.com/jubabaghdad@95

Description

A malicious user could prevent users from seeing their saved items on https://www.facebook.com/saved/ without the need of any user interaction or even being notified .

Impact

The victim will simply be unable to use the saved section without knowing why or even who is the reason .




Reproduction Steps

Step
1

Go to https://www.facebook.com/saved/ and click the + New Collection button to create a new collection and give the collection a name .

Step
2

get the collection's id by navigating to the collection's page and checking the list_id parameter in the URL, lets take the id for this list as list_id=1 just as an example.

Step
3

Create a new different collection and get it's ID, also as an example, take the id of this new list as list_id=2.

Step
4

Add victim (or multiple victim users) user to both collections using the Add Contributors tab, this does not require any confirmation from the victim's part or any user interaction .

Step
5

Prepare a proxy to intercept requests .

Step
6

Go to a random post and click the ... button then click save, now click Add to a Collection and choose the first collection (list_id=1) and intercept the request .

Step
7

The request will contain two parameters list_id and object_id, in this example the list_id will be 1 while the object_id will be some random ID depending on the post that we are adding to the collection. Change the object_id to the list_id of the second list, which is 2 in the example.
Now we have added the second list to the first .

Step
8

Go to a random post and click the ... button then click save, now click Add to a Collection and choose the second collection (list_id=2) and intercept the request .

Step
9

now the list_id will be 2 while the object_id will be some random ID. Change the object_id to the list_id of the first list, which is 1 in the example.
Now we have added the first list to the second .


Videos

Timeline
.
Majd 17 Oct 2019

Initial Report

.
Facebook 31 Oct 2019

Report Triaged

.
Facebook 16 Nov 2019

Fixed By Facebook

.
Majd 16 Nov 2019

Fix Confirmed

.
Facebook 21 Nov 2019

Bounty awarded

VALID