Posts

Showing posts from January, 2017

Account Compromise though brute forcing FB disavowed link - Multiple Subdomains

Image
Another bug in Facebook. This time on multiple subdomains of FB are found to be vulnerable to brute forcing. Facebook is not limiting the attempts made to access disavowed page, resulting account take over by brute force. Vulnerability Type : Missing rate limiting or anti automation measures Vulnerable Service : Facebook Disavow Vulnerable URL : https://www.facebook.com/hacked/disavow?u=100007881843952&n=JIjLVAuY Vulnerable Domains : All the following domains are found to be vulnerable with the same flaw.   www.facebook.com   www.beta.facebook.com   m.facebook.com   m.beta.facebook.com   iphone.facebook.com   developers.facebook.com   lookaside.facebook.com Attack Scenario : Assume victim has forgot his/her password and used the forgot password feature to reset his/her account password. Now facebook will send a password reset confirmation mail, which contains a link for incase if the password was actually reset by