Max Pasqua

Published On: 11 Jun 2019

$1,000

Crashing "Files" Section in Facebook Groups

DoS
Facebook | Web
---
UNDEFINED VALID

After doing some testing in the file upload functionality of Facebook groups I noticed that my files tab stopped working correctly. I then went through my requests sent one by one in an attempt to reproduce the issue I stumbled across.

Description

When uploading a file to a group, if you change the filename to a single period ".", the file tab would then completely crash and be unload-able

Impact

The impact of this is that the files section is no longer usable and to get it back the victim would have to remake his entire group thus losing all the current members and content.




Reproduction Steps

Step
1

Browse to the victims group

Step
2

Attempt to upload a valid file and capture the request in Burp Suite

Step
3

Change the filename to "."

Videos

Timeline
.
Max 11 Apr 2019

Submitted

.
Facebook 06 Jun 2019

Bounty Awarded After reviewing this issue, we have decided to award you a bounty of $1000. Below is an explanation of the bounty amount. Facebook fulfills its b ... See More

.
Facebook 12 Jun 2019

Triaged We've managed to reproduce your report and will get back to you once we have had a chance to investigate.

.
Facebook 30 Jun 2019

Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

VALID






Show All Images