Delete any Photo from Facebook by Exploiting Support Dashboard (opens in new tab)

(arulxtronix.blogspot.in)

114 pointscostapopescu12y ago31 comments

31 comments

This guy was lucky to be proficient enough in English to recieve the bounty, unlike this guy: http://www.theverge.com/2013/8/18/4633046/facebook-security-...

mistercow12y ago

Sounds to me like the big difference here is that this guy made a video when he couldn't communicate verbally (honestly seems like a smart way to do it even if American English is your first language; describing UI interactions verbally is generally pretty non-trivial). And critically, he did not actually use the exploit against another user. He just showed that he could have.

Argorak12y ago

He might even get into Y combinator, if he tried.

There, I did it. Haha.

Can we stop beating dead horses, we all read Hacker News around here?

sp33212y ago

That was a dig at Facebook, not pg or YC.

Argorak12y ago

That was a complaint about the style of posting, not about pg, YC or Facebook.

Buge12y ago

The problem with that guy is that he didn't use a test account and tested it on a random girl without her permission.

lifeformed12y ago

Facebook should make a "Hack Me" profile for people to mess with, so they don't have to use Zuckerberg's instead.

citricsquid12y ago

https://www.facebook.com/whitehat/accounts/

barrkel12y ago

That just gives out the same info as https://www.facebook.com/whitehat/, unless (I speculate) you already have a Facebook account and are logged in.

remi12y ago

When logged in, it shows the test account dashboard: http://i.imgur.com/Wh72kJF.png

singold12y ago

Maybe now we can delete our own facebook photos...

pearjuice12y ago

Is it still worth it to follow every link on Facebook and check the URLs/AJAX requests whether the parameters can be tampered with? At Facebook's scale I always assumed there would be someone full-time employed to do this. In fact, I wouldn't mind if it was good paying. Just give me all the Facebook frontend endpoints and I will go by them one-by-one. Manually. I will even document the test cases and what could be intercepted, changed or can be improved in terms of validation.

GuiA12y ago

Two people have done it publicly and successfully over the past month or so, so yeah, I would argue that it might be worth it.

loceng12y ago

Facebook really doesn't test anything for security vulnerabilities before pushing to production, do they?

ffk12y ago

They most likely do test for security vulnerabilities. However, the attack surface and overall complexity is so large that things will slip by even with the most rigorous testing.

For now, the best you can hope for is a layered defense and rigorous dev and ops practices to help minimize the attack surface and reduce the overall damage a single successful attack can achieve.

Robin_Message12y ago

Putting the user id in the request is obviously wrong, since the owner can looked up from the photo id.

Automated testing/fuzzing could find this, but probably better training/practices would be easier to get right and save time/money in the long run.

bunkat12y ago

I think this is one of the things that Microsoft did a pretty good job with. There is a security process in place that every product goes through for every release. While it still can't catch everything, even the simplest of threat models would have caught a bug like this.

While Facebook most likely does do some form of threat modeling for their main site, without a rigid process for all code that goes public you'll run into issues like this that are just as severe. Just because it's a mobile support site for requesting photo removals doesn't mean it is less important surface area in terms of security.

MichaelApproved12y ago

Exactly. As little as possible should be passing through the querystring. Put in the minimum amount in the QS and look the rest up in the DB. If possible, the QS should be signed for an extra layer of protection.

danielrmay12y ago

I think we can all agree that it's both a very difficult and a very large task to maintain an application with 500 million active users, let alone continue innovation and expansion.

Testing can only ever go so far - bugs and vulnerabilities exist everywhere, even in Facebook.

loceng12y ago

With the resources they have access to, I'd say there's no real excuse - unless it's not a priority - which could very well be. Privacy only became a priority (which coincides with security) when Facebook started to regularly change people's privacy settings on them.

Argorak12y ago

Do you?

loceng12y ago

I'm not there yet.

meatsock12y ago

wow that's a nice bounty for changing two parameters on the end of a URL.

terabytest12y ago

The exploit is easy, but the implications are very dangerous. Such an exploit could have been automated to take down hundreds of photos before it was even detected.

codesuela12y ago

nope, only thing this would've shown is that pictures aren't really deleted. Think about it. Facebook would do a rollback and all the pictures would be back. However with a little bad luck on their part they'd mess up which would lead to them restoring rightfully deleted pictures (many of them embarrassing). Would this have happened for sure? Probably not, but I strongly believe that this could have ended hilariously and frankly I am a little disappointed that the researcher was a white hat ;)

vinceguidry12y ago

Rolling back is a last-ditch effort, it often causes more problems than it would cure. Sure you'd get the pictures back, but everything done in the interrim would be deleted. And if he were a black hat, we'd have never heard about this.

1 more reply

nivla12y ago

As I understand it, the exploit involves crafting a URL to send in a removal request to the Facebook support. Wouldn't this count as social engineering or were the removal requests automated?

Regardless, well done!

chairmankaga12y ago

It seems you can send a crafted URL to request the deletion of images owned by Person A, to Person B. Cutting out any interaction from the original owner.

benmmurphy12y ago

it looks like the request goes to the person who posted the photo first. presumably so that person can delete the photo without getting support involved. it looks like the problem was you could control the profile_id so it was different from the profile that owned the photo.

tomphoolery12y ago

Pretty sure Mark Zuckerberg has had his Facebook profile fucked with more than anyone else, judging by all these disclosures I've been reading :)

j / k navigate · click thread line to collapse

31 comments

kristofferR12y ago

This guy was lucky to be proficient enough in English to recieve the bounty, unlike this guy: http://www.theverge.com/2013/8/18/4633046/facebook-security-...

mistercow12y ago

Argorak12y ago

He might even get into Y combinator, if he tried.

There, I did it. Haha.

Can we stop beating dead horses, we all read Hacker News around here?

sp33212y ago

That was a dig at Facebook, not pg or YC.

Argorak12y ago

That was a complaint about the style of posting, not about pg, YC or Facebook.

Buge12y ago

The problem with that guy is that he didn't use a test account and tested it on a random girl without her permission.

lifeformed12y ago

Facebook should make a "Hack Me" profile for people to mess with, so they don't have to use Zuckerberg's instead.

citricsquid12y ago

https://www.facebook.com/whitehat/accounts/

barrkel12y ago

That just gives out the same info as https://www.facebook.com/whitehat/, unless (I speculate) you already have a Facebook account and are logged in.

remi12y ago

When logged in, it shows the test account dashboard: http://i.imgur.com/Wh72kJF.png

singold12y ago

Maybe now we can delete our own facebook photos...

pearjuice12y ago

GuiA12y ago

Two people have done it publicly and successfully over the past month or so, so yeah, I would argue that it might be worth it.

loceng12y ago

Facebook really doesn't test anything for security vulnerabilities before pushing to production, do they?

ffk12y ago

They most likely do test for security vulnerabilities. However, the attack surface and overall complexity is so large that things will slip by even with the most rigorous testing.

For now, the best you can hope for is a layered defense and rigorous dev and ops practices to help minimize the attack surface and reduce the overall damage a single successful attack can achieve.

Robin_Message12y ago

Putting the user id in the request is obviously wrong, since the owner can looked up from the photo id.

Automated testing/fuzzing could find this, but probably better training/practices would be easier to get right and save time/money in the long run.

bunkat12y ago

MichaelApproved12y ago

danielrmay12y ago

I think we can all agree that it's both a very difficult and a very large task to maintain an application with 500 million active users, let alone continue innovation and expansion.

Testing can only ever go so far - bugs and vulnerabilities exist everywhere, even in Facebook.

loceng12y ago

Argorak12y ago

Do you?

loceng12y ago

I'm not there yet.

meatsock12y ago

wow that's a nice bounty for changing two parameters on the end of a URL.

terabytest12y ago

The exploit is easy, but the implications are very dangerous. Such an exploit could have been automated to take down hundreds of photos before it was even detected.

codesuela12y ago

vinceguidry12y ago

1 more reply

nivla12y ago

As I understand it, the exploit involves crafting a URL to send in a removal request to the Facebook support. Wouldn't this count as social engineering or were the removal requests automated?

Regardless, well done!

chairmankaga12y ago

It seems you can send a crafted URL to request the deletion of images owned by Person A, to Person B. Cutting out any interaction from the original owner.

benmmurphy12y ago

tomphoolery12y ago

Pretty sure Mark Zuckerberg has had his Facebook profile fucked with more than anyone else, judging by all these disclosures I've been reading :)

j / k navigate · click thread line to collapse