FB user birth year Disclosure via “IDOR in m.facebook.com”

This is a continuation of my previous blog post, if you want to read the first part via(https://medium.com/@rajsek/curiosity-and-passion-to-your-profession-might-lead-to-make-your-dream-come-true-7d9be3c6029a)

My second report was very simple, To confirm their fix on my 1st bug report. I tried to analysing on facebook mobile website [m.facebook.com] timeline pattern.

  1. The url patter https://m.facebook.com/UserID/year/<actual Year>gives the post and life time event happened in that timeline
  2. So I believe by sending the “Get” request in sequence by changing the year with victim’s user id, should return the victims birth post on their birth year
m.facebook.com site “birth timeline” post screenshot

3. This behaviour disclose the victim’s Birth year to other.

4. Then I have created web application and used below node script to automate the above process (for normal user)

Created Web application.
Note: Sry guys, FB Team already patched/fixed this BUG. So above mentioned application wont work as expected

5. Following are my key node.js script which gives birth year of the user

6. Following are the Facebook resonance on my second Bug Report

I wish to thank my uncle Thirumurugan and all my Friends(US [Vinoth],Endrum 16 [Ashwin],Singapore [Karthi],Maga Nadigan[Harsha]) & families for their support and concern.
Special thanks to My mentor Keerthivasan ,Loordhu Swamy, Joel Thomas, my lead Rajkumar and all other TCS colleague members for their continuous guidance and support,which made me do analysis on next two Facebook security bugs.

if you feel interested to read my previous and next continuation of this blog post, via below links,
1. 1st part: FB users birth year disclosed via FB Timeline profile source code “data attribute”

2. 3rd part: DOB disclosed using “Facebook Graph API Reverse Engineering

Please share your comments on this POC..