Facebook Informative Bug From Triaged

Circle Ninja
Jul 17 · 2 min read

With some of my other stories, I liked to include my personal feelings and views too, thinking it will make a connect with readers. Since then, hardly anything changed and it is making me seem like “unprofessional in Infosec”. So all posts from now will directly reflect real responses and content.

This bug is from Facebook whitehat program which got triaged and even went for the discussion for payout (after confirmed fix) and later said as not worth Mark’s money.

Bug- No Rate Limiting During FB Page Email Confirmation

The GET request for email confirmation in facebook pages is something like this

GET /pg/Lukas-1220909788091763/about/?conf_code=id&email_id=xyz%40gmail.com

Here if we send this to intruder and i used multiple numerical sequences to confirm the email with code which was sent , we find that all request gives an 302 redirect.

One of the redirects will successfully confirm the new mail.

Impact-

Any page can verify and list email address without confirmation which comes to email account. No rate limiting so any script can be made to see that 302 responses back to browser and confirm the mail for any page.

Timeline- Submitted 18 June

Managed to Reproduce- 20 June

6 July- Sent to product team for fix

13 July- Fixed and asked for confirmation and asked to wait for bounty decision.

17 July- Sad Reply

“Thank you for sharing this information with us. After discussing with the bug bounty team, we’ve determined that this issue does not qualify for a bounty.The reason is that the email verification indicator on Pages is not really used and is currently only visible to the admin.Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.”

Me- Asked some clarification. Ok. Glad it’s not N/A . Or else it would be in hindi, “Jale pe namak chidkna” .

Don’t expect POC for unpaid bugs. GO AWAY! :P

Join as writer to share your story in this publication. Contact me on twitter. Bye.

Circle Ninja

Written by

Wannabe Security JCB | Senior BTech CSE Student from India

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade