Bug Hunter Uncovers Critical IDOR Vulnerability in Facebook’s Contact Removal Tool
The Discovery of a Significant Security Flaw
Facebook IDOR vulnerability – Recently, a skilled bug hunter named Amine Aboud recently uncovered a significant security flaw in Facebook’s systems. This vulnerability, known as an Insecure Direct Object Reference (IDOR), affected the Facebook Contacts Removal Tool. If left unchecked, it could have allowed malicious actors to delete any user’s contact information from the address books of Facebook, Messenger, and Instagram without proper authorization.
Understanding the Vulnerability
Upon investigation, the bug hunter discovered that the Contacts Removal Tool, accessible at facebook.com/contacts/removal, had a critical weakness in its authorization checks. While the tool was designed to let users remove their own contact details after verifying ownership through a one-time password (OTP), Aboud nonetheless found a way to bypass this security measure.
By cleverly manipulating the contactpoint ID parameter in the GraphQL deletion request, he demonstrated that an attacker could potentially remove email addresses or phone numbers belonging to other users. Moreover, this action would add the removed contacts to a block list, thus preventing their re-importation into the system.
Reproducing the Facebook IDOR Vulnerability: Technical Details
Aboud meticulously documented the reproduction steps for this vulnerability. First, he began by visiting the tool’s URL and selecting the option to remove an email address or phone number. Next, after completing a CAPTCHA and receiving an OTP to confirm his own contact details, he used a tool called Blurp to intercept the deletion request. At this critical juncture, he altered the contactpoint parameter to target an email or phone number he did not own and sent the modified request.
Surprisingly, the system confirmed the deletion and blocking of the unauthorized contact from Facebook’s databases. Furthermore, Aboud discovered that he could trigger this issue through a direct GraphQL POST request, completely bypassing the OTP validation process.
Additional Findings and Potential Impact
In addition to the main vulnerability, the bug hunter provided specific examples of the GraphQL requests for both email and phone number removal, thus demonstrating the ease with which an attacker could exploit this vulnerability. Importantly, he noted that the Contacts Removal Tool did not require users to log in, and what’s more, the vulnerable GraphQL request lacked rate limiting protections. Consequently, these oversights could have allowed for mass deletion and blocking of random emails and phone numbers from the database.
Facebook’s Response to the IDOR Vulnerability Report
Acting responsibly, Aboud reported his findings to Facebook on March 1, 2024. Subsequently, the company acknowledged the issue on March 12 and swiftly implemented a fix by March 17. In recognition of the significance of this discovery, Facebook awarded Aboud a bounty on April 15, 2024.
Ethical Hacking and Bug Bounties: Safeguarding Against IDOR Vulnerabilities
Undoubtedly, this case highlights the crucial role that ethical hackers and bug bounty programs play in identifying and addressing potential security risks before they can be exploited by malicious actors. Additionally, it serves as a reminder of the ongoing challenges that major tech companies face in securing their complex systems and protecting user data.
Lessons from this Facebook IDOR Vulnerability: Future Implications
In conclusion, the discovery of this IDOR vulnerability underscores the importance of rigorous security testing and the need for companies to continuously evaluate and improve their authorization processes. As a result, maintaining robust security measures becomes increasingly critical to safeguard user information and maintain trust in online services, especially as digital platforms continue to evolve and interconnect.
Link to read full write up:https://amineaboud.medium.com/idor-vulnerability-allowing-any-contact-point-to-be-removed-from-facebook-messenger-instagram-f878b0ab7e71
Save the PDF here