Hunting for Logic Flaws in Facebook.

Hello readers,

In this article of Ask Buddie, I will be covering some of the logical flaws found by Nepali bug hunters in Facebook which will be helpful for beginner bug hunters to get started with their bug hunting journey and eventually getting their first bounty.

What is a logic flaw?

Most security problems are weaknesses in an application that result from a broken or missing security control (authentication, access control, input validation, etc). By contrast, business logic vulnerabilities are ways of using the legitimate processing flow of an application in a way that results in a negative consequence to the organization.

You don’t necessarily need to have in-depth knowledge about security in order to find a logic flaw in an application. Most of the times normal people find it but doesn’t know that it might have security impact and needs to be reported.

Now lets explore some of the logic flaws found by Nepali Bug Bounty hunters in Facebook that might get you started in your bug hunting journey.

• Instagram Story reply privacy bypass.

Found by : Baibhav Anand Jha

Summary : Instagram has a privacy setting allowing user to chose who can reply to your story.

Exploiting this bug will allow anyone to reply to people’s story even if the replies are disabled.

Steps for reproduction:

1. Open the previous story on which replies were enabled so that the next story that will automatically show up would be the one with replies disabled.
2. I would now pop up the keyboard in that previous story and let the keyboard be on until the story would pass and the next story with replies disabled would show up.
3. Since, my keyboard was already on and the story lead to the one with replies disabled, my keyboard would still be on and there was a reply button.
4. Now that there was a reply option I could reply to the story.

I was also able to bypass the fix which Facebook implemented for this bug and was able to get bounty again for the same bug.

Full article : https://medium.com/bugbountywriteup/bypassing-the-fix-of-my-previous-instagram-bug-49ece4ea7e1d

• Page Admin Disclosure.

Found by : Saugat Pokharel

Summary : Replying with a photo comment via page in Facebook lite revealed page admin.

Steps for reproduction :

1. In the Facebook Lite app open your page.
2. Go to comments.
3. Reply with a photo comment.
4. Reply is posted via personal profile instead of being posted as page.

Full article : https://medium.com/nassec-cybersecurity-writeups/page-admin-disclosure-facebook-bug-bounty-2020-8a45cf911e24

• Creating Unauthorized Comments on Facebook Live Stream.

Found by : Binit Ghimire

Summary : Facebook has a privacy feature using which people can chose who can reply to their posts. He was able to comment on live steams with privacy set to “Friends only”.

Steps for reproduction:

1. He visited the profile of the person who isn’t his friend and allows only friends to comment on his/her posts.
2. He scrolled down until he found a live stream on his/her profile and opened the live stream.
3. Facebook had launched a new feature which allows people to create quick comments in live streams without having to type general text like Hello, thumbs up and other emojis. This quick comment area appears in every live stream and you just have to press on one of the quick comment buttons and it gets commented in the live stream.

Full article : https://askbuddie.com/blog/unauthorized-comments-on-facebook-live-stream/

• Page Admin Disclosure

Found by : Sudip Shah

Summary : Sending photo message as a page using Facebook Lite will sent via personal profile instead of being sent as page.

Steps for reproduction :

1. User A goes to his PageX’s inbox through Facebook Lite and sees UserB’s message thread
2. UserA messages to User B
3. User B receives the text message done by UserA as page
4. UserA now sends photo to UserB from page inbox
5. UserB receives the photo message through UserA’s personal profile instead of receiving from page which leads to page admin disclosure.

Full article : https://medium.com/@sudipshah_66336/the-story-of-my-first-4-digit-bounty-from-facebook-3a29830e03cd

• Unintended forward of pictures.

Found by : Ashok Chapagai

Summary : Forwarding one of the pictures from a group of pictures from inbox in Facebook lite forwards all the picture instead of the one particular picture that someone intends to forward.

Steps for reproduction:

1. From account A send multiple photos to account B.
2. Account B forwards one of the picture from his inbox in Facebook lite to account C.
3. Instead of one picture being forwarded all the picture will be forwarded to account C.

Full article : https://medium.com/@ashokcpg/non-technical-write-up-on-my-second-bounty-of-1-000-from-facebook-74daecd6879b

• Unable to revoke access for an application in Instagram.

Found by : Jabir Khan

Summary: He was unable to revoke access for an application allowing application to continue having access to his data.

Steps for reproduction :

1. He noticed that Tik-tok was added to authorized application list which he never gave access to.
2. Trying to revoke the access he got an error saying “There was a problem revoking access. Please try again later.” and he wasn’t allowed to revoke the access.

Full article : https://medium.com/nassec-cybersecurity-writeups/this-is-how-i-got-xxxx-from-facebook-for-instagram-bug-aaff50342246

• Page Admin Disclosure

Found by : Ajay Gautam

Summary : Adding non-admin as Co-host for a page event revealed the admin name in notification panel of the invitee.

Steps of reproduction :

1. Create an event from a page.
2. Add another account (be sure he/she is not admin of the page) as a co-host in the event.
3. Open another account and click the notification about the co-host.
4. You will see the name of the admin that has added you as a co-host like this “$Page Admin Name$ invited you” instead of “$Page$ invited you.”

Full article : https://medium.com/bugbountywriteup/page-admin-disclosure-facebook-bug-bounty-2019-ee9920e768eb

Lastly I would like to include this vulnerability of mine which I have never disclosed else where.

• Hiding in close friend list and avoiding victim to remove us from the list.

Found by : Baibhav Anand Jha

Summary : We were able to hide ourselves in the close friend list of Facebook avoiding victim to remove us and were able to view content that was shared with privacy “Close Friends Only”.

Steps for reproduction :

1. UserOne (Attacker) is in the close friend list of UserTwo (Victim)
2. UserOne deactivates his account.
3. UserTwo will no longer be able to see UserOne in his close friend’s list.
4. UserOne reactivates his account and he will still be in the close friend’s list of UserTwo.

Clicking the publish button in hopes that this article will help someone find his/her first logic flaw landing him/her their first bounty.

Like this article? Do follow me on Twitter @spongebhav