Skip to main content

Insecure Direct Object Reference (IDOR) Vulnerability on Facebook

IDOR is one of the most dangerous vulnerability if exploited by any attacker. It allows them to take control,alter and delete other users data.


 As we know Facebook started it's bug bounty program since 2011 and through the times it's security was proven,hardened and tested by security researchers around the globe as there were already many vulnerabilities disclosed,fixed and payed.





 "If you can't find  holes in the domain,crawl it's subdomain"--was my technique.

If you notice, there is no checking of layer of security upon accessing the resource, wherein this simply gives the attacker access to the resource freely to alter (delete, rotate and edit the photo caption) just by changing the parameter values of their target:

e.g. https://mbasic.facebook.com/photo.php?fbid=<victim_id>&id=<victim_id>&r_prof.


Thank you Philippe.

To God be the glory.

Flag Counter

Comments

Post a Comment

Popular posts from this blog

Dynatrace (formerly Ruxit) HTML Injection + a bonus find

HTML injections are just minor bugs which allows an attacker to command a webserver to interpret his malicious inputs. The bug relies on the ec parameter. If you put anything after that the website interprets it's function, the cause was lack of proper input validations. Vuln. url: https://login.ruxit.com/sso/UI/Login?realm=ruxit&goto=https%3A%2F%2Fiuq72031.live.ruxit.com%2Findex.jsp%3FSHA%3D0&ec= Injected url: https://login.ruxit.com/sso/UI/Login?realm=ruxit&goto=https%3A%2F%2Fiuq72031.live.ruxit.com%2Findex.jsp%3FSHA%3D0&ec= %3Ch1%3E%3Cmarquee%3Einjected%20by%20russel%20van%3C/marquee%3E%3C/h1%3E Immediately they filed a fix to this one. Another logical vulnerability was an information disclosure. This bug is much more sensitive as it shows the programming language used,server and full path disclosures. The bug relies on password reset page after you've sent your email,quite rare logical as behaviors like that rarely exist on sites. Pocs: ...
Post a Comment
Read more

Hootsuite - Breaking it's framebusting code

I noticed that Hootsuite doesn't have a protection for clickjacking  so i tested if it is vulnerable to that attack and it was after submitting the report they immediately deployed a fix: The javascript code for framebusting above breaks your ordinary framing code e.g. \<\iframe \src=\"hootsuite.com\" \width\=\"500\" \height\=\"\500\"\>\<\/\iframe\>\ . Even though trying double-framing strategy (inserting the first frame into the second frame) won't work                                           src: OWASP Defense Sheet                                 So, how do we have been breaking it? A write up from Paulos  Yibelo  regarding facebook clickjacking gave me an idea. The bypass script and the output Thanks for taking time to read. To ...
Post a Comment
Read more