This IDOR vulnerability in the Facebook Events platform allowed an attacker profile to add anyone as co-host in his/her personal event including non-friends, non-friends-of-friends and people who have blocked him/her.
Summarizing the vulnerability
When you are creating an event from your personal profile on Facebook, Facebook would ask you to select friends who you want to add as co-hosts for the event.
For this vulnerability to be reproduced, you would have to select a friend as co-host and while submitting the request to Facebook, you would have to replace his/her profile ID with the profile ID of someone who is neither your friend, nor any of your friends-of-friends (i.e. either non-friends-of-friends or blocked people).
Taking an advantage of this vulnerability, an attacker would be able to add anyone including non-friends-of-friends and blocked people (people he/she has blocked and people who have blocked him/her) as co-host in his/her personal event on Facebook.
The Facebook Security Team issued a bounty amount of $750 for responsibly reporting this vulnerability.
- A PC with a web browser
- An Internet connection, and no geographical restriction on the usage of Facebook
- Three Facebook accounts; User A, User B and User C.
- User A is the event host.
- User B is the friend of User A, who has no role, but will be useful when selecting a co-host for the event so that it can intercepted.
- User C is a totally unknown person to both User A and User B, and not friend with any of them.
Login to User A's account on the web version of Facebook, and then visit facebook.com/events
Click on "Create Event" and select any of the options among private and public events.
Select User A in Event Host drop-down list (if User A has pages, it will show drop-down list, otherwise it will show User A only, so in such case, no need to worry about selecting User A as it is selected by default).
Fill up all the fields in any way you want, and in Co-hosts field, enter "User B" and select User B.
Before clicking on the "Create" button, start intercepting on Burp Suite or OWASP ZAP or any other similar tools.
Click on the "Create" button, and keep forwarding all the requests until you see a request which looks like this:
POST /ajax/create/event/submit/?title=[EventName]&description=[Description]&location=...&location_id=....&location_latlong[latitude]=...&location_latlong[longitude]=...&cover_focus[x]=0.5&cover_focus[y]=0.5&only_admins_can_post=true&post_approval_required=false&co_hosts=1008&start_date=11%2F25%2F2019&start_time=7200&end_date=11%2F25%2F2019&end_time=18000&timezone=........ HTTP/1.1
Here, 1008 = User ID of User B
Replace the value of co_hosts parameter with the User ID of non-friend, i.e. User C (31337), and then forward the request. Now, the event will be created.
When you click on "1 co-host pending", you will be able to see that User C has been successfully added as co-host in the event.
Now, login to User C's account, and you will be able to see a notification telling "User A made you a host of his/her event [EventName]."
If User C has blocked User A, then also this works without any issue, but in that case, User C won't be able to see the event because of User A being blocked, however User A will see User C in pending co-host list.
Responsible Disclosure Timeline
- Vulnerability Reported: November 25, 2019
- Reproduced and Triaged: December 18, 2019
- Patch Confirmation: January 21, 2020
- Bounty Amount Rewarded: January 24, 2020
- November 25, 2019: Submitted the vulnerability report
- November 28, 2019: Someone requested for little more information, and I responded back with the requested information and a Proof-of-Concept (PoC) video
- December 4, 2019: Someone requested for Whitehat test account credentials, and I responded back with the required credentials.
- December 7, 2019: Someone requested for more information, and I responded back with the required information.
- December 10, 2019: Someone responded back with exact error in response and requested to send a new PoC video showing all the steps starting from the creation of the Whitehat test account.
- December 11, 2019: I provided them the new PoC video as requested (drive.google.com/open?id=1ANHN1wXzj8U10H7GU..).
- December 14, 2019: Someone asked whether the victim was able to remove themselves as Co-host or not from the event, and I responded back saying that the victim was unable to reject the request to be added as Co-host, and would be automatically visible to the public as the co-host for the event right after clicking on "Interested" or "Going".
- December 18, 2019: Successful Reproduction of the vulnerability (someone stated that the information I provided in the last response would be helpful team to get a fuller picture when sending to the product team.)
- December 18, 2019: I responded back mentioning that I would be looking forward to answering further queries
- December 18, 2019: Triaged (the security team sent the report to the product team for further investigation)
- December 18, 2019: I responded back saying that I would be looking forward to seeing what the product team has to say regarding the vulnerability report.
- January 8, 2020: I requested the team to let me know if there is anything new regarding the vulnerability report.
- January 10, 2020: Someone responded back mentioning that they would notify me as soon as a change takes place regarding the vulnerability report, and I responded back mentioning that I would be looking forward to being notified about any changes that would take place regarding the vulnerability report.
- January 21, 2020: Someone requested for vulnerability patch confirmation, but I wasn't aware of this response, so I couldn't respond back.
- January 24, 2020: Bounty amount rewarded
- January 24, 2020: I thanked the security team, felt sorry for not being able to respond back on January 21 because I wasn't active on Facebook for a few days, and stated about updating the name to be included in the Thanks page of 2019.
- January 28, 2020: Someone responded back appreciating my response and kind words, and left a message regarding the name to be included in the Thanks page, and I sent a couple of responses to it.
- February 6, 2020: Someone responded back stating that he/she has updated their hall of fame page as per my request.
- February 6, 2020: I responded back stating about being able to see the inclusion of my name in the Thanks page of 2019.
Check out the Facebook Whitehat Thanks page: facebook.com/whitehat/thanks!