This is my second bug bounty - a bug that I discovered while messing around on a Facebook group. It was my freshman year at ASU, and I was administering this Facebook called "The Great Indian Dream, Class of '23" – a group dedicated to Indian high school students seeking admissions in foreign universities.
Background
Facebook has a policy that you can change a group's name only once every 28 days if your group is big. This is to prevent abuse and maintain consistency. While joking about this on a post on that group, the conversation quickly turned to bug hunting and eventually triggering this.
My initial instinct to test this actually came from the outdated UI they had, which sort of indicated this thing hadn't been touched in a while. Immediately I headed to Charles Proxy to capture and modify the request this was sending upon changing the name.
I copied the curl command of the request, and kept replaying it again with different group names.
curl 'https://www.facebook.com/groups/<GROUP_ID>/edit/' \
--data-binary 'jazoest=<REDACTED>fb_dtsg=AQGfx9WwthQl&__a=1&group_purpose=social_learning_landing_tab&group_currency=USD&description=&topics=&name=testgroup0&group_members=&admin_post_approval=1&stories_post_permissions=1&nctr[_mod]=pagelet_group_edit&__user=<REDACTED>' \
--compressed
And to my surprise, the group name changed! A bunch of people on that group saw that happen which sparked quite a lot of laughter and a little bit of shock. To be fair, this bug isn't big - it's not an account takeover.
However, this gets even more interesting....
I tried sending <br />
as part of the name
parameter. Yes, actual HTML tags as the name. And to my surprise, it seemed to not have parsed the HTML quotes but rather break something on the backend! So much so, that once you name a group <br />
without sanitization (that the frontend does), you can make a facebook group INACCESSIBLE and UNFIXABLE - even through the exploit!
Again, always sanitize everything on the backend – DO NOT trust your requests!
Anyway, I reported all of this to Facebook Security, and was awarded $500!
Timeline:
Initial Report | Sun, Nov 25, 2018, 10:30 AM |
Request for more info | Wed, Nov 28, 2018, 11:19 AM |
Request for more Info | Mon, Dec 3, 2018, 11:03 AM |
Escalated to team for further investigation | Thu, Dec 13, 2018, 8:23 AM |
Vulnerability Patched Notification | Wed, Jan 2, 2019, 12:48 PM |
Bounty Awarded | Thu, Jan 3, 2019, 4:28 AM |
Featured on Facebook Hall of Fame 2018 | Fri, Jan 4, 2019, 10:50 AM |