With some of my other stories, I liked to include my personal feelings and views too, thinking it will make a connect with readers. Since then, hardly anything changed and it is making me seem like “unprofessional in Infosec”. So all posts from now will directly reflect real responses and content.
This bug is from Facebook whitehat program which got triaged and even went for the discussion for payout (after confirmed fix) and later said as not worth Mark’s money.
Bug- No Rate Limiting During FB Page Email Confirmation
The GET request for email confirmation in facebook pages is something like this
Here if we send this to intruder and i used multiple numerical sequences to confirm the email with code which was sent , we find that all request gives an 302 redirect.
One of the redirects will successfully confirm the new mail.
Any page can verify and list email address without confirmation which comes to email account. No rate limiting so any script can be made to see that 302 responses back to browser and confirm the mail for any page.
Timeline- Submitted 18 June
Managed to Reproduce- 20 June
6 July- Sent to product team for fix
13 July- Fixed and asked for confirmation and asked to wait for bounty decision.
17 July- Sad Reply
“Thank you for sharing this information with us. After discussing with the bug bounty team, we’ve determined that this issue does not qualify for a bounty.The reason is that the email verification indicator on Pages is not really used and is currently only visible to the admin.Although this issue does not qualify as a part of our bounty program we appreciate your report. We will follow up with you on any security bugs or with any further questions we may have.”
Me- Asked some clarification. Ok. Glad it’s not N/A . Or else it would be in hindi, “Jale pe namak chidkna” .
Don’t expect POC for unpaid bugs. GO AWAY! :P
Join as writer to share your story in this publication. Contact me on twitter. Bye.