Hi,
I would like to
share one of Logical Bug in facebookgroups. The bug I found was too simple to exploit but it had a great Impact.
[#] Title: Logical bug on facebook group.
[#] Worth: $2000 USD
[#] Status: Fixed
[#] Severity : I don’t know :p
[#] Author: Manjesh S
[#] Twitter: @Manjesh24
Description:
If you are the admin of the group
you can remove the users, add users, edit/delete posts etc..
But if you make a attacker admin
then he also gets the same admin rights, The problem is you cannot remove the
attacker from the group using this bug..
Now there are two cases:
- If attacker is just user.
- If attacker also has admin rights.
If attacker is just user he can post
anything on the group and Admin cannot remove the attacker.
If
attacker also has admin rights then he can do whatever he want on the group and
admin cannot remove the attacker from the group and also admin cannot remove
the admin rights which attacker is having – which means the attacker will be
having admin rights forever and no one can remove the rights :)
The great
thing is it was not fixed on facebook mobile sites:
m.facebook.com,touch.facebook.com etc.. and also official facebook mobile apps. :)
Impact of this Bug:
- Attacker in a group can see all the posts SECRETELY.
- If Attacker have admin rights, Attacker can EDIT or DELETE ANY posts without knowing to admin.
- If Attacker have admin rights, Attacker can REMOVE users from a group without knowing to admin.
- Even if admin found Attacker, He/She cant remove Attacker from the group or remove admin rights on mobile site and mobile apps..
- Attacker can invite more members, preserve the content in that Group, or shut down the Group if it's no longer needed.
- No Extra/Great knowledge is required - simple to Hack :p
etc..
Requirements:
*We need
to know who is admin of the group. That’s it!!
* Its not
must but needed – Admin rights
Steps to Reproduce:
- Block the admin of the group :D
- That’s all!!
So assume
that you are admin of a group and you gave admin rights to a User-A,
What
happens when User-A blocks you is, you cannot remove the User-A from the
group or remove the admin rights as the User-A wont be listed on members list.
Now the User-A will be in a group forever with admin rights, and the you will never be able to remove User-A. The worst thing is if you go to group members list the User-A wont be listed, So as usual you think that User-A has left the group but secretly User-A can do all stuffs on the group without knowing to you :D :D
Now the User-A will be in a group forever with admin rights, and the you will never be able to remove User-A. The worst thing is if you go to group members list the User-A wont be listed, So as usual you think that User-A has left the group but secretly User-A can do all stuffs on the group without knowing to you :D :D
But Bug
was initially rejected :(
I didn’t
expected this type of reply from fb.
They agree
that the bug is either privacy or a security issue but both issues qualify for
bug bounty program.
Strange
thing is they are not asking for proof of bug instead needed a proof that I am
eligible for bug bounty program. :o
What mistake I did :
- I didn’t sent them more impacts as I was hurry in reporting ( After many Duplicates I thought I must report it fastly).
- I didn’t reported that the bug was also existed on official facebook mobile apps.
So this
time I sent more proofs, But I don’t think these proofs are needed as the bug
is self explanatory. I googled and found many impacts which I can add to my
bug, and suddenly I found a great blog where a security researcher found the
exact same bug like mine ;)
Wow!!! That’s what I was looking for..
Which is almost exactly same bug like mine for which he has got $5000.
I was sure
that I wont get $5000, as bug which I reported was already fixed on facebook pc
site, But I was sure that I am eligible for bug bounty.
Oops after adding these things I sent them mail asking “Why I am not eligible for bug bounty program?“
Then got this reply from fb :
And
finally got a positive reply after 1 month :
Suggestion :
If you
also got the same reply and bug got rejected from facebook,
Then first of all know why your bug got
rejected, work on it and find more possible impacts which makes eligible to all
conditions as listed on https://www.facebook.com/whitehat/
All the
best :)
Source: http://manjeshboss.blogspot.com/