[Facebook] Determine Email Address and Phone Number of Users

 By following the POC below, it was possible for a hacker to determine if a given Email Address or a Phone Number is connected to the given Facebook User or not, even when they are hidden by the User.

POC -

1. Go to www.facebook.com and Click on "Forgot password".

2. Enter Target's Phone Number and click on "Search".

3. Select "Send code via SMS" and click on "Keep going".

4. Click on "Can't get code?".

5. Repeat step 3 and 4 at least six times.

6. Then click on "Aren't you".

7. Enter the Target's Facebook USERNAME and click on "Search".

8. Select "Send code via SMS" and click on "Keep going".

9. Click on "Cancel".

10. Click on "Forgot password".

11. Repeat step 8,9,10 again.

This should trigger an error saying "Identify this account in another way".

To double confirm,

12. Click on "Please try again".

13. Enter the Target's USERNAME and Search.

This should give us an error saying "Identify this account in another way

Identify your account using email or phone number."

If we enter a USERNAME which is not connected to the Target's Phone Number, we will be redirected.

14. Enter your USERNAME (or any VALID USERNAME) and search.

This should redirect you and indicate that the Phone Number, does not belong to your USERNAME.


Timeline -

Reported - Sunday, September 19, 2021 

Triaged - Friday, October 22, 2021

Fixed - Wednesday, November 3, 2021

Rewarded - Thursday, November 4, 2021

Popular posts from this blog

[Google] Access to BGP server + DOM XSS

 A hacker could have had the access to a BGP REST API server without any authorisation which was leading to leak of internal network info, devices info, network configuration and modification. Apart from that, there was a DOM XSS vulnerability in the target IP asset as well. POC - An IP address had a BGP server running on it. The access to it was an API service " Sonic Network Management APIs". These API calls could have been made without authorisation(access_token) and they were all listed with specifications on - " https://IP/ui/model.html". Endpoints such as - /ui/model.html?urls.primaryName=sonic-interface.yaml#/sonic-interface/get_sonic_interface_sonic_interface /ui/model.html?urls.primaryName=sonic-port.yaml#/sonic-port/get_sonic_port_sonic_port /ui/model.html?urls.primaryName=openconfig-lldp.yaml#/openconfig-lldp/get_openconfig_lldp_lldp_interfaces /ui/model.html?urls.primaryName=openconfig-platform.yaml#/openconfig-platform/get_openconfig_platform_components
Read more

[Google] YouTube "restconf" Swagger-UI XSS

  During my recon, I came across a few Google owned IP assets which were running "restconfig" services hosted on Swagger-UI. Dawid Moczadło has written a detailed article here . POC - Three IP assets on -  "https://IP/ui" were vulnerable to DOM XSS on this endpoint - "/ui/model.html?configUrl=http://hackingmonks/test.json". The Swagger-UI did show the available API endpoints for the service but had authorisation in place(access_token was needed). During this period, I had found 4th asset which had the same vulnerability along with additional exploitation, which was reported in another ticket. The write-up can be found here ( Access to BGP server + DOM XSS ). Timeline - Reported - 22.05.2023 Triaged - 22.05.2023 The assets were no longer accessible to the public -  09.06.2023 Accepted - 07.06.2023 Rewarded - 13.06.2023 Google's date for the fix - 08.12.2023
Read more

[Google] Disclose hidden Blogger profile Display name and Profile photo

 Because of an unfiltered response to an API call, it was possible for anyone to fetch hidden Blogger Profile Display name and Profile photo. POC - An endpoint going to - ========================================= GET https://blogger.googleapis.com/v3/blogs/target_blog_id/posts?fetchBodies=true&fetchImages=true&maxResults=69&view=VIEW_TYPE_UNSPECIFIED&key=[YOUR_API_KEY] HTTP/1.1 Authorization: Bearer [YOUR_ACCESS_TOKEN] ========================================= Would respond with the hidden Profile Display name and Profile photo as below - ========================================= "author": {     "id": "blogger_id",     "displayName": "blogger_name",     "url": "https://www.blogger.com/profile/blogger_id",     "image": {       "url": "//2.bp.blogspot.com/blogger_photo.jpg" } ========================================= Timeline - Reported - 31.01.2023 Triaged - 01.02.2023 Acc
Read more