Facebook Groups Bug Bounty – 2018

Facebook Groups Bug Bounty – 2018

This is my second bug bounty - a bug that I discovered while messing around on a Facebook group. It was my freshman year at ASU, and I was administering this Facebook called "The Great Indian Dream, Class of '23" – a group dedicated to Indian high school students seeking admissions in foreign universities.

Background

Facebook has a policy that you can change a group's name only once every 28 days if your group is big. This is to prevent abuse and maintain consistency. While joking about this on a post on that group, the conversation quickly turned to bug hunting and eventually triggering this.

My initial instinct to test this actually came from the outdated UI they had, which sort of indicated this thing hadn't been touched in a while. Immediately I headed to Charles Proxy to capture and modify the request this was sending upon changing the name.

I copied the curl command of the request, and kept replaying it again with different group names.

curl 'https://www.facebook.com/groups/<GROUP_ID>/edit/' \
--data-binary 'jazoest=<REDACTED>fb_dtsg=AQGfx9WwthQl&__a=1&group_purpose=social_learning_landing_tab&group_currency=USD&description=&topics=&name=testgroup0&group_members=&admin_post_approval=1&stories_post_permissions=1&nctr[_mod]=pagelet_group_edit&__user=<REDACTED>' \
--compressed

And to my surprise, the group name changed! A bunch of people on that group saw that happen which sparked quite a lot of laughter and a little bit of shock. To be fair, this bug isn't big - it's not an account takeover.

However, this gets even more interesting....

I tried sending <br /> as part of the name parameter. Yes, actual HTML tags as the name. And to my surprise, it seemed to not have parsed the HTML quotes but rather break something on the backend! So much so, that once you name a group <br /> without sanitization (that the frontend does), you can make a facebook group INACCESSIBLE and UNFIXABLE - even through the exploit!

Again, always sanitize everything on the backend – DO NOT trust your requests!

Anyway, I reported all of this to Facebook Security, and was awarded $500!

Timeline:

Initial ReportSun, Nov 25, 2018, 10:30 AM
Request for more infoWed, Nov 28, 2018, 11:19 AM
Request for more InfoMon, Dec 3, 2018, 11:03 AM
Escalated to team for further investigationThu, Dec 13, 2018, 8:23 AM
Vulnerability Patched NotificationWed, Jan 2, 2019, 12:48 PM
Bounty AwardedThu, Jan 3, 2019, 4:28 AM
Featured on Facebook Hall of Fame 2018Fri, Jan 4, 2019, 10:50 AM

Did you find this article valuable?

Support Ananay Arora by becoming a sponsor. Any amount is appreciated!