HomeBug BountyBug Hunter Exposes Critical Facebook IDOR Vulnerability in Contact Removal Tool

Bug Hunter Exposes Critical Facebook IDOR Vulnerability in Contact Removal Tool

Bug Hunter Uncovers Critical IDOR Vulnerability in Facebook’s Contact Removal Tool

The Discovery of a Significant Security Flaw

Facebook IDOR vulnerability – Recently, a skilled bug hunter named Amine Aboud recently uncovered a significant security flaw in Facebook’s systems. This vulnerability, known as an Insecure Direct Object Reference (IDOR), affected the Facebook Contacts Removal Tool. If left unchecked, it could have allowed malicious actors to delete any user’s contact information from the address books of Facebook, Messenger, and Instagram without proper authorization.

Understanding the Vulnerability

Upon investigation, the bug hunter discovered that the Contacts Removal Tool, accessible at, had a critical weakness in its authorization checks. While the tool was designed to let users remove their own contact details after verifying ownership through a one-time password (OTP), Aboud nonetheless found a way to bypass this security measure.

By cleverly manipulating the contactpoint ID parameter in the GraphQL deletion request, he demonstrated that an attacker could potentially remove email addresses or phone numbers belonging to other users. Moreover, this action would add the removed contacts to a block list, thus preventing their re-importation into the system.

Reproducing the Facebook IDOR Vulnerability: Technical Details

Aboud meticulously documented the reproduction steps for this vulnerability. First, he began by visiting the tool’s URL and selecting the option to remove an email address or phone number. Next, after completing a CAPTCHA and receiving an OTP to confirm his own contact details, he used a tool called Blurp to intercept the deletion request. At this critical juncture, he altered the contactpoint parameter to target an email or phone number he did not own and sent the modified request.

Surprisingly, the system confirmed the deletion and blocking of the unauthorized contact from Facebook’s databases. Furthermore, Aboud discovered that he could trigger this issue through a direct GraphQL POST request, completely bypassing the OTP validation process.

Additional Findings and Potential Impact

In addition to the main vulnerability, the bug hunter provided specific examples of the GraphQL requests for both email and phone number removal, thus demonstrating the ease with which an attacker could exploit this vulnerability. Importantly, he noted that the Contacts Removal Tool did not require users to log in, and what’s more, the vulnerable GraphQL request lacked rate limiting protections. Consequently, these oversights could have allowed for mass deletion and blocking of random emails and phone numbers from the database.

Facebook’s Response to the IDOR Vulnerability Report

Acting responsibly, Aboud reported his findings to Facebook on March 1, 2024. Subsequently, the company acknowledged the issue on March 12 and swiftly implemented a fix by March 17. In recognition of the significance of this discovery, Facebook awarded Aboud a bounty on April 15, 2024.

Ethical Hacking and Bug Bounties: Safeguarding Against IDOR Vulnerabilities

Undoubtedly, this case highlights the crucial role that ethical hackers and bug bounty programs play in identifying and addressing potential security risks before they can be exploited by malicious actors. Additionally, it serves as a reminder of the ongoing challenges that major tech companies face in securing their complex systems and protecting user data.

Lessons from this Facebook IDOR Vulnerability: Future Implications

In conclusion, the discovery of this IDOR vulnerability underscores the importance of rigorous security testing and the need for companies to continuously evaluate and improve their authorization processes. As a result, maintaining robust security measures becomes increasingly critical to safeguard user information and maintain trust in online services, especially as digital platforms continue to evolve and interconnect.

–Meta bug bounty program


Link to read full write up:

Save the PDF here

A cybersecurity practitioner with more than 5 years of experience in the cybersecurity world. Has an interest in creating simple blog websites, learning about SEO and graphic design, writing, AI, and understanding the concepts of journalism. Intentionally created this website to make the world of cybersecurity more engaging by combining it with journalistic principles and presenting cybersecurity stories that are easy to understand, which can help anyone who wants to develop in the cybersecurity world.



Please enter your comment!
Please enter your name here

4 + 7 =

Most Popular


- Advertisement -