IDOR was leading to Privilege Escalation and violating the Facebook policy
so yes it all started when my friend taunted me that. “why you always be so much into FACEBOOK and why you waste your time by using social networking apps? ” i was like man i think he is right need to prove him wrong !
so i directly went to my home and checked phwd’blogs.
i was like okay, i let me select my target.
started checking with all functionality of facebook like groups,pages.
When i was looking in to events,
i have found that i can create a private event over here. so i made a private event.
after making a private event i have started invited people in my event.
now while i was inviting friends into my event i was also capturing the request in burp suite.
* now as you will notice the highlighted part in the request. it is a user id of my account as i was inviting my self only. **
here i have deiced to fuzz this parameter “profilechooseritems” with different values.
## If you have noticed that whenever you create a facebook account the facebook will provide you the UNIQUE **username** and also it also gives userid.
so as per the facebook’s policy you can only invite facebook users in your private event who are into your facebook account.
so i had tried to put my friend @hackerspider1 into my event who was not added into my current testing facebook account’s friendlist and i was able to add/invite him into my event. i was like yeah!! :D i think i have found something. so i had also one more facebook testing account, which is also not added into my current facebook account’s friendlist.i had tried to invite that facebook user too.
and whatt ! i was able to invite that account too. !!
but i wanted to exploit it more! without wasting my time i also added @jaypatel9717 into my private event.(now jay patel is also not added into my this testing account’s friendlist.)
i was scrolling my facebook’s news feed and also was thinking that how can i exploit it more? at that time i saw one of my friend’s post “******** is going to DHINCHAK POOJA’s Live Event”.
so i started exploring more that if i m able to post behalf of jay patel like “jay patel is going to this event or not”
and what!! i was able to post that jay patel in going to this event. !
without wasting any time ! i made a PoC of this and reported to facebook.
and the next day moring…. i got a reply :/
so as per the facebook’s policy if someone is added into your facebook’s friendlist and you are adding other facebook users who are not added into your account but they are into the person’s friend list who is added into your facebook’s friend list and if you add them somehow then its a normal behavior. :/// i was like aghhhh !!!
but i dint give up ! quickly made a new facebook account. now i just made an account so there is no one added in my friend list. :3
now i went back to my testing account and tried to add this fresh made facebook account .
and ! yeah ! i was able to add that account too into my private event & make a same post also like ( testarmaanpathantest armaan is going to soo and so event).
again i made a quick PoC and reported to facebook.
after 5–6 days ! i got a reply from facebook that they have patched the issue and please conform that is not reproducible anymore.
they Rewarded me with a good amount.
spacial thanks to @jaypatel9717
and yeah ! also learnt that if any friend is taunting you. take it as a challange and prove him/her wrong.
Thanks for reading.
have a great day ahead.