Sunday, July 24, 2022

Facebook Bug POC - Contactpoint Inference through rate-limiting errors

This could have allowed to match if a given phone number or an email address is associated with a Facebook user, regardless of the contact point look up privacy settings or device/nw relevance.

Steps for reproduction -

1. As a client of a large network, make 500 repeated requests to -

POST /login/device-based/regular/login/?login_attempt=1&next=app_callback_url


2. If the request is repeated with the target username or phone number in the place of Email address, the response will throw "Account lock" or "Feature disallowed" error.

3. If repeated with a phone number or a username which doesn't belong to the target user, the response will throw "Wrong password" error.

There are multiple rate limiting machanism in place to that endpoint so we could have tried making 5 guesses for contact point match every hour.

Timeline -

Reported - 17th April 2022
Triaged - 14th May 2022
Fixed - 9th June 2022
Rewarded - 19th July 2022