Ow Facebook Part 2: Facebug Logic Flaws

4:47 AM

This series is a bug class of Facebook that got declined for being unexplainable, unexploitable or having 0 probability of exploitation. I decided to share those for fun because it seems I got like 2-3 hours of spare time. Check out my recent post before this for part one.

This bug isn’t going to be fixed anytime soon because of being/having no risk at all other than for fun. Using the first bug, this one, you can create events with years that are fat or nonexistent.
Events are only allowed to be created from 2012-2024, but you can create even for years like 30000, 31337, 1337, very deep in the future or in the past. :)

It’s not a big secret; it’s just a very common logic flaw. The program expects integer values and does not sanitize the given year is from 2012-2024 because in the database, only those years exist to be chosen from. But while tampering data, it is possible to change the value that is being sent to the server to store.

Here are the reproduction steps, first using https://m.facebook.com/events/create/basic
create a normal event, then go to edit, chose the event and start tamper data, then change the year to anything...  (Note: it have to be edited, the edit page contain the flaw. The first one is well sanitized)
Then enjoy sending your friends event invites with years like -25418 or 1337 or 31337… negative values are the fun part. -2012 will become -0012. How awesome is that?

Your homies be like “You have created an event back in -0012? :O” Haha. Awesome.

Same thing happened in Facebook birthday, the limitation is 1996 to change from but anyone who is aware of this bug can change his/her birth date to recent years like 2000 using m.facebook.com. This violates Facebook’s rule and make you a minor and decrease your birth day, which is fun. No risk.

The same logic issues often occur in money related tasks. That’s a very sad thing considering you can steal money. Recently, while pentesting a website that contains a script to transfer money to one account to another I was actually able to steal money (would have stolen), this happened.

Obviously, while transferring money it decreases money you sent from your account and add it to the 
receivers account. It’s like -amount from you and +amount to the other dude.

Now imagine, the script does is “Your total amount - amount = remaining amount” imagine if we tamper the request and give it a negative amount, meaning, the formula becomes,
“Your total amount - ( -amount) = remaining amount”

Which is equivalent to “Your total amount + amount = remaining account” which means you are instead adding infinite money to your account.

Also most websites on their checkout page contain a hidden parameter holding the amount, tampering that to 0.01 is valid considering the script expects if the payment is complete using the payment token, whatever amount you are supposed to pay, you paid 0.01 which still makes the script true and execute the next step. Enjoy!

Conclusion: watch out for parameter tampering. It’s “almost always” forgotten.

You Might Also Like


Note: Only a member of this blog may post a comment.