Bypassed Facebook Phone Number Security

=======================================

Enumeration vulnerabilities which demonstrate that a given e-mail address or mobile phone number is tied to “a Facebook account” are not eligible under the bug bounty program. This is true whether the endpoint returns only confirmed items, or both confirmed and unconfirmed. In absence of the user ID that the e-mail/mobile number is linked to, this behavior is considered extremely low risk.

Vulnerabilities which allow an attacker to determine which specific user ID that an e-mail address or mobile phone number is linked to MAY be rewarded under the bug bounty program, but ONLY if they do this in violation of appropriate privacy settings on the specific user account regarding who can look-up the user via the e-mail/mobile number.

=======================================

I discovered this vulnerability when i was testing “FACEBOOK” account recovery form. (However, that form was only available for the users who registered their Facebook ID with phone numbers.)

Description and Impact:

If a user sets privacy to “Who can look you up using the phone number you provided?” (Friends Only). Attacker was able to see which specific user ID that a phone number is linked with the help of that account recovery form.

Reproduction Steps:

  1. Go to Forgotten password?
  2. Type a phone number where facebook id is linked.
  3. Now click “No longer have access to these”
  4. type your new email twice
  5. fill up form with fake information and “Submit”
  6. Support Dashboard will open where self-identified uid is visible for the attacker.

Screen shots :

Facebook accepted my bug and awarded me 1500USD for that bug.

After successfuly patched and got a bounty i disclosed this bug with my friends.

But i was curious about that form so again i tried to test that form and i see that vulnerability is patched only in support dashboard and still i am able to exploit this bug with changed behaviour.

“Getting user id in the email in the first attempt they patched the bug but server still sending user id of that specific phone number if we do 2nd attempt with the same email”

Steps to reproduce same bug with change behaviour:

  1. Go to Forgotten password?
  2. Type a phone number where facebook id is linked.
  3. Now click “No longer have access to these”
  4. type your new email twice
  5. fill up form with fake information and “Submit”
  6. Support Dashboard will open but this time self-identified UID is not visible in the support dashboard. (Because bug has been patched)

7. Check the email but user id is not there also.

8. Go to Forgotten password? (Again)

9. Type same phone number.

10. repeat same steps with same email we did it in first bug.

Screen shots:

“I got reply from Facebook but in this reply i am not getting user id of that number. Now Lets do 2nd attempt.

This time i am getting self identified uid: in the email (Highlighting)

:)

I reported to Facebook and got a reply from admin Reginaldo:

========================================

Hi Zahid,

Ah, I see what’s happening here. Can you still reproduce this? It has the same root cause as your other report #314709118, so the fix for #314709118 should have fixed this one too. As we get a lot of submissions, we’ll close this ticket while we wait for more info from you. If you do find that the issue still reproduces, please reply to this email and the ticket will re-open and we can take another look.

Thanks for your submission.

Reginaldo
Security
Facebook

========================================

I replied yes i am still able to reproduce this bug. And then i got a reply from admin Neal

========================================

Hi Zahid,

We have looked into this issue and believe that the vulnerability has been patched. New tickets going forward should not contain the information. Please follow up with us if you believe that the patch does not resolve this issue.

Neal
Security
Facebook

========================================

I replied “Yes bug has been patched now”

I wasn’t expect a bounty for that report i thought they will merge the reports.

But then i got a reply from admin Neal

========================================

Hi Zahid,

Awesome, thanks for confirming! We will be in touch about bounty information in the next few days.

Thanks,

Neal
Security
Facebook

========================================

And then got awarded again for the same bug with changed behaviour.

That was a surprise bounty for me :)