Jafar Abo Nada

Published On: 20 May 2019

$500

malicious user can to toggle Top Fans list from ON to off for any user

IDOR
Facebook | Web
---
LOW VALID

convert state the user from "turn on" To "turn Off "in "Top Fans" list from another user without authorization

Description

After digging around in Facebook looking for possible bug’s, I watched Facebook have added recently a feature that allows fans interested in specific pages to join of Top Fans list. After accessing the list, Facebook provides a selection of the status of the badge. The user can "Stop Displaying Badge" or keep the badge displayed When considering the HTTP requests to "stop displaying badge", it turns out that any malicious person in the list can stop displaying the badge to anyone in the list

Impact

Malicious user can to toggle Top Fans list from ON to off for any user




Reproduction Steps

Step
1

1. The malicious user goes to the list of best fans:
"https://web.facebook.com/pg/[PageUserName]/community/"

Users :: The bug can be applied to all the people in the "Top Fan" list.
Pages:: All pages that have activate a "Top Fan" list.
needed: The attacker needs to be inside the list

Step
2

2. The malicious user sends request to "stop displaying badge!"

Step
3

3. The malicious user intercepts the request

Step
4

4. The attacker adjusts the value of "fan_id =" by removing the attacker's ID and replacing it with the target ID
"https://web.facebook.com/top_fans/fan_opt_in/?status[ OPTED_OUT ] OR [ OPTED_IN ] &entry_point=leaderboard&creator_id= [Page ID] &fan_id= [Victim ID] &dpr=1"

Step
5

5. An attacker can "Display badge" by entering the value in parameter "status=OPTED_IN" OR "stop display badge" by entering the value in parameter "status=OPTED_OUT"

Exploit

When considering the HTTP requests to "stop displaying badge", it turns out that any malicious person in the list can stop displaying the badge to anyone in the list without permission Because the endpoint "https://web.facebook.com/top_fans/fan_opt_in/?status[ OPTED_OUT ] OR [ OPTED_IN ] &entry_point=leaderboard&creator_id= [Page ID] &fan_id= [Victim ID] &dpr=1" did not confirm that the sender was the actual sender and accepted the input of the malicious person who easily changed his "Account ID" to the "Victim ID"

Videos

Timeline
.
Jafar 29 Jun 2018

The report was submitted

.
Facebook 30 Jun 2018

The security Team in Facebook does not know this feature in Facebook Hi Jafar, Is Top Fans a app you have to install or is this normally part of a page? I'm not finding the the option for this on my own page. Thank ... See More

.
Jafar 30 Jun 2018

Send more info to Randal This feature is added automatically by Facebook on the pages that are interacted by its fans, has been published to start testing this feature in ... See More

.
Facebook 18 Jul 2018

Patches were done

.
Jafar 19 Jul 2018

Confirmation of fix by me

.
Facebook 20 Jul 2018

Reward paid

VALID






Show All Images