Posts

Showing posts from January, 2017

Account Compromise though brute forcing FB disavowed link - Multiple Subdomains

Image
Another bug in Facebook. This time on multiple subdomains of FB are found to be vulnerable to brute forcing.
Facebook is not limiting the attempts made to access disavowed page, resulting account take over by brute force.
Vulnerability Type : Missing rate limiting or anti automation measures Vulnerable Service : Facebook Disavow Vulnerable URL : https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY
Vulnerable Domains : All the following domains are found to be vulnerable with the same flaw.
www.facebook.com www.beta.facebook.com m.facebook.com m.beta.facebook.com iphone.facebook.com developers.facebook.com lookaside.facebook.com
Attack Scenario :
Assume victim has forgot his/her password and used the forgot password feature to reset his/her account password. Now facebook will send a password reset confirmation mail, which contains a link for incase if the password was actually reset by any attacker. Users can use this link to gain access to the account which was believ…