Read what Binit writes @ WHOISpublish!

Adding anyone including non-friend and blocked people as co-host in personal event!

Adding anyone including non-friend and blocked people as co-host in personal event!

Binit Ghimire's photo
Binit Ghimire
·

6 min read

This IDOR vulnerability in the Facebook Events platform allowed an attacker profile to add anyone as co-host in his/her personal event including non-friends, non-friends-of-friends and people who have blocked him/her.

Summarizing the vulnerability

When you are creating an event from your personal profile on Facebook, Facebook would ask you to select friends who you want to add as co-hosts for the event.

For this vulnerability to be reproduced, you would have to select a friend as co-host and while submitting the request to Facebook, you would have to replace his/her profile ID with the profile ID of someone who is neither your friend, nor any of your friends-of-friends (i.e. either non-friends-of-friends or blocked people).

Taking an advantage of this vulnerability, an attacker would be able to add anyone including non-friends-of-friends and blocked people (people he/she has blocked and people who have blocked him/her) as co-host in his/her personal event on Facebook.

The Facebook Security Team issued a bounty amount of $750 for responsibly reporting this vulnerability.

Requirements

  • A PC with a web browser
  • An Internet connection, and no geographical restriction on the usage of Facebook
  • Three Facebook accounts; User A, User B and User C.
UsersUser ID
User A1337
User B1008
User C31337
  • User A is the event host.
  • User B is the friend of User A, who has no role, but will be useful when selecting a co-host for the event so that it can intercepted.
  • User C is a totally unknown person to both User A and User B, and not friend with any of them.

Reproduction Steps

Step 1

Login to User A's account on the web version of Facebook, and then visit facebook.com/events

Step 2

Click on "Create Event" and select any of the options among private and public events.

Step 3

Select User A in Event Host drop-down list (if User A has pages, it will show drop-down list, otherwise it will show User A only, so in such case, no need to worry about selecting User A as it is selected by default).

Step 4

Fill up all the fields in any way you want, and in Co-hosts field, enter "User B" and select User B.

Step 5

Before clicking on the "Create" button, start intercepting on Burp Suite or OWASP ZAP or any other similar tools.

Step 6

Click on the "Create" button, and keep forwarding all the requests until you see a request which looks like this:

POST /ajax/create/event/submit/?title=[EventName]&description=[Description]&location=...&location_id=....&location_latlong[latitude]=...&location_latlong[longitude]=...&cover_focus[x]=0.5&cover_focus[y]=0.5&only_admins_can_post=true&post_approval_required=false&co_hosts[0]=1008&start_date=11%2F25%2F2019&start_time=7200&end_date=11%2F25%2F2019&end_time=18000&timezone=........ HTTP/1.1

Here, 1008 = User ID of User B

Step 7

Replace the value of co_hosts[0] parameter with the User ID of non-friend, i.e. User C (31337), and then forward the request. Now, the event will be created.

Step 8

When you click on "1 co-host pending", you will be able to see that User C has been successfully added as co-host in the event.

Step 9

Now, login to User C's account, and you will be able to see a notification telling "User A made you a host of his/her event [EventName]."

Exceptional Case

If User C has blocked User A, then also this works without any issue, but in that case, User C won't be able to see the event because of User A being blocked, however User A will see User C in pending co-host list.

Responsible Disclosure Timeline

Major Highlights

  • Vulnerability Reported: November 25, 2019
  • Reproduced and Triaged: December 18, 2019
  • Patch Confirmation: January 21, 2020
  • Bounty Amount Rewarded: January 24, 2020

Full Timeline

  • November 25, 2019: Submitted the vulnerability report
  • November 28, 2019: Someone requested for little more information, and I responded back with the requested information and a Proof-of-Concept (PoC) video
  • December 4, 2019: Someone requested for Whitehat test account credentials, and I responded back with the required credentials.
  • December 7, 2019: Someone requested for more information, and I responded back with the required information.
  • December 10, 2019: Someone responded back with exact error in response and requested to send a new PoC video showing all the steps starting from the creation of the Whitehat test account.
  • December 11, 2019: I provided them the new PoC video as requested (drive.google.com/open?id=1ANHN1wXzj8U10H7GU..).
  • December 14, 2019: Someone asked whether the victim was able to remove themselves as Co-host or not from the event, and I responded back saying that the victim was unable to reject the request to be added as Co-host, and would be automatically visible to the public as the co-host for the event right after clicking on "Interested" or "Going".
  • December 18, 2019: Successful Reproduction of the vulnerability (someone stated that the information I provided in the last response would be helpful team to get a fuller picture when sending to the product team.)
  • December 18, 2019: I responded back mentioning that I would be looking forward to answering further queries
  • December 18, 2019: Triaged (the security team sent the report to the product team for further investigation)
  • December 18, 2019: I responded back saying that I would be looking forward to seeing what the product team has to say regarding the vulnerability report.
  • January 8, 2020: I requested the team to let me know if there is anything new regarding the vulnerability report.
  • January 10, 2020: Someone responded back mentioning that they would notify me as soon as a change takes place regarding the vulnerability report, and I responded back mentioning that I would be looking forward to being notified about any changes that would take place regarding the vulnerability report.
  • January 21, 2020: Someone requested for vulnerability patch confirmation, but I wasn't aware of this response, so I couldn't respond back.
  • January 24, 2020: Bounty amount rewarded
  • January 24, 2020: I thanked the security team, felt sorry for not being able to respond back on January 21 because I wasn't active on Facebook for a few days, and stated about updating the name to be included in the Thanks page of 2019.
  • January 28, 2020: Someone responded back appreciating my response and kind words, and left a message regarding the name to be included in the Thanks page, and I sent a couple of responses to it.
  • February 6, 2020: Someone responded back stating that he/she has updated their hall of fame page as per my request.
  • February 6, 2020: I responded back stating about being able to see the inclusion of my name in the Thanks page of 2019.

Check out the Facebook Whitehat Thanks page: facebook.com/whitehat/thanks!

Security