How I could delete Facebook Ask for Recommendations post’s place objects in comments

Raja Sudhakar
Nov 19, 2019 · 2 min read
Image for post
Image for post

Summary:

This blog post is about an Insecure direct object reference vulnerability in Facebook Ask for Recommendations post. using attacker could have remove place object card in comments.

Vulnerability Type :

IDOR (Insecure Direct Object References)

Reference: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References

Steps to reproduce:

1) Visit any Victim’s Facebook Recommendation post and find out place objects in comments.

2) Copy victim place object’s comment_id and rec_id (which is available in inspect).

3) Now goto your recommendation post’s place objects.

4) Now on the right corner click on “Delete” option.

5) Now before posting make sure Burp Suite’s Interceptor is turned on to capture the request.

Click on “Delete” now, you will see below kind of request in Burp suite:

POST 
/async/place_list/remove_rec/?comment_fbid=1119570281585744&is_spotlight=false&map_state=1&rec_id=110535478973670&rec_type=place&av=100022637353520 HTTP/1.1
Host: www.facebook.comConnection: closeContent-Length: 668Origin: https://www.facebook.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0)

6) Now change the comment_id parameter value to victim’s comment_id and Forward the request.

7) Then now change rec_id parameter value to victim’s rec_id and Forward the request.

8) Done.

Video POC:

Image for post
Image for post

Timeline:

September 20, 2018 — Initial Report

September 20, 2018 — Report Triaged

October 05, 2018 — Vulnerability Fixed By Facebook

October 09, 2018 — Fixed Confirmed

October 10, 2018 — Bounty awarded by Facebook

Sign up for Infosec Writeups

By InfoSec Write-ups

Newsletter from Infosec Writeups Take a look

By signing up, you will create a Medium account if you don’t already have one. Review our Privacy Policy for more information about our privacy practices.

Check your inbox
Medium sent you an email at to complete your subscription.

Raja Sudhakar

Written by

Security Analyst

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Raja Sudhakar

Written by

Security Analyst

InfoSec Write-ups

A collection of write-ups from the best hackers in the world on topics ranging from bug bounties and CTFs to vulnhub machines, hardware challenges and real life encounters. In a nutshell, we are the largest InfoSec publication on Medium. Maintained by Hackrew

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store