Published On: 20 May 2019
convert state the user from "turn on" To "turn Off "in "Top Fans" list from another user without authorization
After digging around in Facebook looking for possible bug’s, I watched Facebook have added recently a feature that allows fans interested in specific pages to join of Top Fans list. After accessing the list, Facebook provides a selection of the status of the badge. The user can "Stop Displaying Badge" or keep the badge displayed When considering the HTTP requests to "stop displaying badge", it turns out that any malicious person in the list can stop displaying the badge to anyone in the list
Malicious user can to toggle Top Fans list from ON to off for any user
Step
1
1. The malicious user goes to the list of best fans:
"https://web.facebook.com/pg/[PageUserName]/community/"
Users :: The bug can be applied to all the people in the "Top Fan" list.
Pages:: All pages that have activate a "Top Fan" list.
needed: The attacker needs to be inside the list
Step
2
2. The malicious user sends request to "stop displaying badge!"
Step
3
3. The malicious user intercepts the request
Step
4
4. The attacker adjusts the value of "fan_id =" by removing the attacker's ID and replacing it with the target ID
"https://web.facebook.com/top_fans/fan_opt_in/?status[ OPTED_OUT ] OR [ OPTED_IN ] &entry_point=leaderboard&creator_id= [Page ID] &fan_id= [Victim ID] &dpr=1"
Step
5
5. An attacker can "Display badge" by entering the value in parameter "status=OPTED_IN" OR "stop display badge" by entering the value in parameter "status=OPTED_OUT"
When considering the HTTP requests to "stop displaying badge", it turns out that any malicious person in the list can stop displaying the badge to anyone in the list without permission Because the endpoint "https://web.facebook.com/top_fans/fan_opt_in/?status[ OPTED_OUT ] OR [ OPTED_IN ] &entry_point=leaderboard&creator_id= [Page ID] &fan_id= [Victim ID] &dpr=1" did not confirm that the sender was the actual sender and accepted the input of the malicious person who easily changed his "Account ID" to the "Victim ID"