.png)
4 years ago
167 BOOK THIS SPACE FOR AD
ARTICLE AD
Summary:
This blog post is about an Insecure direct object reference vulnerability in Facebook Scrapbook. In Facebook Scrapbook only Owner and their Partner will be able to tag scrapbook in photos. vulnerability is any users can tag other user’s scrapbook in photos.
Vulnerability Type :
IDOR (Insecure Direct Object References)
Reference: https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References
Steps to reproduce:
Open Facebook Profile and Create any Post with photo.Now visit any User’s Scrapbook Album.Right Click in User’s Scrapbook album and copy Scrapbook ID.Now Visit your Post you created and open photo.Now Click photo and Click Tag photo option choose any user to tag.Now before tagging make sure Burp Suite’s Interceptor is turned on to capture the request.Click on “Choose user” now, you will see below kind of request in Burp suite:POST /ajax/photo_tagging_ajax.php?av=100022637353520HTTP/1.1Host: www.facebook.comConnection: closeContent-Length: 668Origin: https://www.facebook.comUser-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_0)fbid=XXX&id=USERID&subject=XXXX&name=XXXX&action=add&etc
8. Now change the subject parameter value to victim’s scrapbook ID and Forward the request.
9.Done.
Timeline:
February 25, 2020 — Initial Report
March 03, 2020 — Report Triaged
May 01, 2020 — Vulnerability Fixed By Facebook
May 01, 2020 — Fixed Confirmed
May 01, 2020 — Bounty awarded by Facebook
Bengali (Bangladesh) · 
English (United States) ·