Facebook Vulnerability: $1500 for Removing Document Cover
Unfortunately Facebook now deactivate user to create a post with document in group. Whereas from this feature I start as bug hunter and find 10 bugs on Facebook. That is story with good news. My last two years Facebook always reject my reports with duplicate, informative and -10 points (you know what I mean? Wkwk). I don’t know about my false to productive again. Base on my bad news, now I thinking about give up as bug hunter. Hunting bug is not my skill.
Group member have choice to create a document with other member to edit his document or not. The issue, victim not allowing any people to edit his document, that means attacker not permit to remove the cover.
- Victim create a document and not allow any member to edit his document
- Attacker create document and remove the cover
- Change the note_id with victim’s note_id
POST /notes/composer/remove_cover_photo/?dpr=1.5 HTTP/1.1
Host: web.facebook.com
…
note_id=(VICTIM NOTE_ID HERE)&….
4. Run the request.
After doing some development, this issue not only impact for “Document” but also on “Notes”. The different is Document form Note in group, but Note have no other user option to edit it.
25 July 2017: Report
26 July 2017: First response
8 August 2017:Second response
11 August 2017: They fix my bug
23 August 2017: Facebook reward me $1500
