Facebook Vulnerability: Non-unfriendable user in /hacked workflow
When a victim goes to secure his account at facebook.com/hacked , he has an option to delete the friends which he didn’t add himself. But I noticed that, when the attacker’s account is in "deactivated" state, the removal doesn’t happen even if it shows "1 friend deleted successfully".
Victim cannot remove attacker as friend at facebook.com/hacked , if the attacker has deactivated his account. Which, poses a privacy risk if the victim is unaware of the bug.
This was Vulnerable in all the domains
3) m.facebook.com/hacked and so on...
1. Victim’s account was compromised & he became friends with attacker.
2. After victim & attacker= friends, attacker will deactivate his facebook account.
3. Now victim goes to facebook.com/hacked to secure his account.
4. He clicks on "Friends and Followers".
5. He selects attacker’s name & clicks on "remove".
6. After that it will show "1 person deleted successfully"
7. Now try to reactivate the attacker’s account & observe
8. Victim & attacker are still friends.
That means all the changes done at facebook.com/hacked were not applied successfully when attacker’s account was in "Deactivated" state.
Jan 13: Report Sent
Jan 16: Triaged by Fredrick (directly)
Mar 07: Patched by Facebook
Mar 26: Bounty of $500 awarded
Upon further investigation, I found out that the bug was not patched on touch.facebook.com/hacked , because it has a different UI compared to other subdomains.
Mar 26: Report Sent
Mar 28: Reproduced by Dinesh
Mar 28: Triaged by Stewie
Apr 08: Patched by Facebook
Again, I noticed that no changes were made to the affected product (0% changes). I still wonder why they sent me the fix confirmation message.
Apr 08: I replied about the bad-patch
May 10: Triaged by Stewie
Jun 11: Fixed by Facebook
Thankfully, this time, they did the perfect patch xD
Jun 11: I confirmed the fix
Jun 11: Bounty of $1000 awarded
So total bounty for this vulnerability is $500+$1000 = $1500. Lucky enough ;)
- Check for the bug in all the sub-domains
- Try to use “Deactivation” and “Blocking” in the weirdest ways possible. Think ahead of the developer.
Thanks for reading! Hope you enjoyed the approach to the vulnerability & my lucky story. Visit me on facebook.
See you soon :-)