How I could delete Facebook Ask for Recommendations post’s place objects in comments
Summary:
This blog post is about an Insecure direct object reference vulnerability in Facebook Ask for Recommendations post. using attacker could have remove place object card in comments.
Vulnerability Type :
IDOR (Insecure Direct Object References)
Reference: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References
Steps to reproduce:
1) Visit any Victim’s Facebook Recommendation post and find out place objects in comments.
2) Copy victim place object’s comment_id and rec_id (which is available in inspect).
3) Now goto your recommendation post’s place objects.
4) Now on the right corner click on “Delete” option.
5) Now before posting make sure Burp Suite’s Interceptor is turned on to capture the request.
Click on “Delete” now, you will see below kind of request in Burp suite:
POST
/async/place_list/remove_rec/?comment_fbid=1119570281585744&is_spotlight=false&map_state=1&rec_id=110535478973670&rec_type=place&av=100022637353520 HTTP/1.1Host: www.facebook.comConnection: closeContent-Length: 668Origin: https://www.facebook.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0)
6) Now change the comment_id parameter value to victim’s comment_id and Forward the request.
7) Then now change rec_id parameter value to victim’s rec_id and Forward the request.
8) Done.
Video POC:
Timeline:
September 20, 2018 — Initial Report
September 20, 2018 — Report Triaged
October 05, 2018 — Vulnerability Fixed By Facebook
October 09, 2018 — Fixed Confirmed
October 10, 2018 — Bounty awarded by Facebook
