How I could delete Facebook Ask for Recommendations post’s place objects in comments

Raja Sudhakar
Nov 19 · 2 min read

Summary:

This blog post is about an Insecure direct object reference vulnerability in Facebook Ask for Recommendations post. using attacker could have remove place object card in comments.

Vulnerability Type :

IDOR (Insecure Direct Object References)

Reference: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References

Steps to reproduce:

1) Visit any Victim’s Facebook Recommendation post and find out place objects in comments.

2) Copy victim place object’s comment_id and rec_id (which is available in inspect).

3) Now goto your recommendation post’s place objects.

4) Now on the right corner click on “Delete” option.

5) Now before posting make sure Burp Suite’s Interceptor is turned on to capture the request.

Click on “Delete” now, you will see below kind of request in Burp suite:

POST 
/async/place_list/remove_rec/?comment_fbid=1119570281585744&is_spotlight=false&map_state=1&rec_id=110535478973670&rec_type=place&av=100022637353520 HTTP/1.1
Host: www.facebook.comConnection: closeContent-Length: 668Origin: https://www.facebook.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0)

6) Now change the comment_id parameter value to victim’s comment_id and Forward the request.

7) Then now change rec_id parameter value to victim’s rec_id and Forward the request.

8) Done.

Video POC:

Timeline:

September 20, 2018 — Initial Report

September 20, 2018 — Report Triaged

October 05, 2018 — Vulnerability Fixed By Facebook

October 09, 2018 — Fixed Confirmed

October 10, 2018 — Bounty awarded by Facebook

CEH | Penetration Tester | BlackHat

Welcome to a place where words matter. On Medium, smart voices and original ideas take center stage - with no ads in sight. Watch
Follow all the topics you care about, and we’ll deliver the best stories for you to your homepage and inbox. Explore
Get unlimited access to the best stories on Medium — and support writers while you’re at it. Just $5/month. Upgrade