Facebook Vulnerability: Non-unfriendable user in /hacked workflow

Ritish Kumar Singh
Jun 11 · 3 min read

Description:

When a victim goes to secure his account at facebook.com/hacked , he has an option to delete the friends which he didn’t add himself. But I noticed that, when the attacker’s account is in "deactivated" state, the removal doesn’t happen even if it shows "1 friend deleted successfully".

Impact:

Victim cannot remove attacker as friend at facebook.com/hacked , if the attacker has deactivated his account. Which, poses a privacy risk if the victim is unaware of the bug.

Scope:

This was Vulnerable in all the domains

1) www.facebook.com/hacked

2) mbasic.facebook.com/hacked

3) m.facebook.com/hacked and so on...

Steps:

1. Victim’s account was compromised & he became friends with attacker.

2. After victim & attacker= friends, attacker will deactivate his facebook account.

3. Now victim goes to facebook.com/hacked to secure his account.

4. He clicks on "Friends and Followers".

5. He selects attacker’s name & clicks on "remove".

6. After that it will show "1 person deleted successfully"

7. Now try to reactivate the attacker’s account & observe

8. Victim & attacker are still friends.

Conclusion:

That means all the changes done at facebook.com/hacked were not applied successfully when attacker’s account was in "Deactivated" state.

Timeline:

Jan 13: Report Sent

Jan 16: Triaged by Fredrick (directly)

Mar 07: Patched by Facebook

Mar 26: Bounty of $500 awarded

Upon further investigation, I found out that the bug was not patched on touch.facebook.com/hacked , because it has a different UI compared to other subdomains.

Mar 26: Report Sent

Mar 28: Reproduced by Dinesh

Mar 28: Triaged by Stewie

Apr 08: Patched by Facebook

Again, I noticed that no changes were made to the affected product (0% changes). I still wonder why they sent me the fix confirmation message.

Apr 08: I replied about the bad-patch

May 10: Triaged by Stewie

Jun 11: Fixed by Facebook

Thankfully, this time, they did the perfect patch xD

Jun 11: I confirmed the fix

Jun 11: Bounty of $1000 awarded

So total bounty for this vulnerability is $500+$1000 = $1500. Lucky enough ;)

My Message:

  1. Check for the bug in all the sub-domains
  2. Try to use “Deactivation” and “Blocking” in the weirdest ways possible. Think ahead of the developer.

Thanks for reading! Hope you enjoyed the approach to the vulnerability & my lucky story. Visit me on facebook.

See you soon :-)

Ritish Kumar Singh

Written by

Facebook "Hall of Famer"