FB users birth year disclosed via FB Timeline profile source code “data attribute”

“Curiosity and Passion to your profession might lead to make your dream come true.”
1. How many of you think that private information (like date of birth) are secure in social networking sites?
2. How many of you know that we can earn Thousand plus US dollars while browsing in Facebook?

I would like to share my story, how my name got listed at 7th place (among 120+ people ) in Facebook white hat hacker thanks page, by reporting three Security bug in their system.

Using these facebook bugs, I can able to get the full DOB of any others FB users irrespective of their privacy settings.

Screen shot taken around May 2015

To recognise my work, Facebook team also reward me 10k+ USD.

Before that let me introduce myself, I am Raja Sekar Durairaj(ராஜ சேகர் துரைராஜ்) working for TCS Chennai. As like most of the youngsters I have also spend most of my time in facebook. We might be pissed off from our family members to do some valuable job rather wasting time in facebook.

Earlier, I haven’t thought of my name would be listed in the facebook white-hat thanks page (www.facebook.com/whitehat/thanks). On that night, I got a facebook birthday notification of my mentor. Somehow I got interests to know his age and then when I searched for his birth year in facebook, it seems he intentionally hide his Birth year to other.

My instinct said that there should be some way to get his birth year. So I started analysing FB timeline which lead me to end up in below proof of concepts,

1st Proof of Concept:

  1. Facebook is following some patter/order to display the post in timeline, I started to look into the source code of the Birth timeline post of my mentor(as shown below)
My mentor Facebook “Born timeline” post and the respective HTML Source Code of that post
HTML Source Code of that Birth Post

2. As shown in above image,i have noticed bunch of few junk number in the source code. Then I start explore those junk numbers and found below pattern in those numbers

“thid”:”Fb_User_ID:306061129499414:32:126210600:157746600:Birth_Post_ID”

3. I guessed that above highlighted strings might be a UNIX representation of time, So I decoded the above string as follows

4. Then I thought FB developer might trimmed the last few digits, so I start repeat the above process by append zeros at the end

5. My 3rd attempt the gives me the exact Birth year of my mentor.

6. Then I automated the above process using google extension (used above javascript code)

Screenshot of google extension which finds victims birth year

7.Using some network request response analysis tool, I found that expect windows platform this bug is present in all other FB platforms (Andriod,Web,Mobile Web-m.facebook.com).

8. On Mar 30, 2015 3:18am I have reported and sent the POC to Fb Security team in their page (https://www.facebook.com/whitehat/report/)

10. Please find the below response of Fb Security Team.

Their word “Please follow up with us if you believe that the patch does not resolves this issue made me to analysis on their patch fix, which intern helps me to find my 2nd security data leakage Bug in Facebook(link)

I wish to thank my uncle Thirumurugan and all my Friends(US [Vinoth],Endrum 16 [Ashwin],Singapore [Karthi],Maga Nadigan[Harsha]) & my families for their support and concern.
Special thanks to My mentor Keerthivasan ,Loordhu Swamy, Joel Thomas,my lead Rajkumar and all other TCS colleague members for their continuous guidance and support,which made me do analysis on next two Facebook security bugs.

If you feel interested to read my next continuation of this blog post, kindly click below links,
1. 2nd part: FB user birth year Disclosure via “IDOR in m.facebook.com”

2. 3rd part: DOB disclosed using “Facebook Graph API Reverse Engineering

Please share your comments on this POC..
One clap, two clap, three clap, forty?

By clapping more or less, you can signal to us which stories really stand out.