[Facebook] Disable Notification Center and Delete Notifications

 A malicious user could have exploited a missing rate limit to disable the notification bar, prevent incoming notifications, delete the old notifications (read or unread) or even hang the low end devices running FB4A. This was undetected as the notifications will not mention the attackers Profile or name.

The endpoint goes to -
POST /ads/canvas_preview/?node_id=CANVAS_ID&page_id=PAGE_ID&user_ids[0]=ADMIN_ID&is_id_encoded=false HTTP/1.1
Host: www.facebook.com
By changing the user_ids[0]=ADMIN_ID to user_ids[0]=VICTIM_ID in the request he can send the canvas preview to anyone.
Rate limit evaluation -
We saw that we can send more than 4k payloads in just less than 3 minutes.
Since there is no rate limit we saw that we were getting the same response length since the first request. So we were not silently getting blocked.
Notification messages sent to the device were individual. They were sent one at a time. This would spam the notification bar and make it un usable.
After some payloads (3k or after) the notifications would stop appearing to the victim. If the attacker was still carrying out the bruteforce attack, victim won't get any notifications. Even the genuine requests won't be popping in the notification center. Resulting in into disabling the Notification bar.
If the attacker stopped after 4k payloads, the notification center would clear out all the notifications. The old notifications will be deleted.
This worked for both web UI and FB4A.
Timeline -
Reported - Sunday, March 10, 2019
Marked Duplicate - Thursday, March 21, 2019 
This is now fixed.

Popular posts from this blog

[Google] Access to BGP server + DOM XSS

 A hacker could have had the access to a BGP REST API server without any authorisation which was leading to leak of internal network info, devices info, network configuration and modification. Apart from that, there was a DOM XSS vulnerability in the target IP asset as well. POC - An IP address had a BGP server running on it. The access to it was an API service " Sonic Network Management APIs". These API calls could have been made without authorisation(access_token) and they were all listed with specifications on - " https://IP/ui/model.html". Endpoints such as - /ui/model.html?urls.primaryName=sonic-interface.yaml#/sonic-interface/get_sonic_interface_sonic_interface /ui/model.html?urls.primaryName=sonic-port.yaml#/sonic-port/get_sonic_port_sonic_port /ui/model.html?urls.primaryName=openconfig-lldp.yaml#/openconfig-lldp/get_openconfig_lldp_lldp_interfaces /ui/model.html?urls.primaryName=openconfig-platform.yaml#/openconfig-platform/get_openconfig_platform_components
Read more

[Google] YouTube "restconf" Swagger-UI XSS

  During my recon, I came across a few Google owned IP assets which were running "restconfig" services hosted on Swagger-UI. Dawid Moczadło has written a detailed article here . POC - Three IP assets on -  "https://IP/ui" were vulnerable to DOM XSS on this endpoint - "/ui/model.html?configUrl=http://hackingmonks/test.json". The Swagger-UI did show the available API endpoints for the service but had authorisation in place(access_token was needed). During this period, I had found 4th asset which had the same vulnerability along with additional exploitation, which was reported in another ticket. The write-up can be found here ( Access to BGP server + DOM XSS ). Timeline - Reported - 22.05.2023 Triaged - 22.05.2023 The assets were no longer accessible to the public -  09.06.2023 Accepted - 07.06.2023 Rewarded - 13.06.2023 Google's date for the fix - 08.12.2023
Read more

[Google] Disclose hidden Blogger profile Display name and Profile photo

 Because of an unfiltered response to an API call, it was possible for anyone to fetch hidden Blogger Profile Display name and Profile photo. POC - An endpoint going to - ========================================= GET https://blogger.googleapis.com/v3/blogs/target_blog_id/posts?fetchBodies=true&fetchImages=true&maxResults=69&view=VIEW_TYPE_UNSPECIFIED&key=[YOUR_API_KEY] HTTP/1.1 Authorization: Bearer [YOUR_ACCESS_TOKEN] ========================================= Would respond with the hidden Profile Display name and Profile photo as below - ========================================= "author": {     "id": "blogger_id",     "displayName": "blogger_name",     "url": "https://www.blogger.com/profile/blogger_id",     "image": {       "url": "//2.bp.blogspot.com/blogger_photo.jpg" } ========================================= Timeline - Reported - 31.01.2023 Triaged - 01.02.2023 Acc
Read more