This Hacker Hacked Facebook Notes Feature; Won $2500 Bounty Prize

Hacker Anand Prakash hacked Facebook Notes feature and Facebook awarded him a $2500 bounty prize. He was able to delete notes from anybody’s account ! Facebook Notes being an important direction for the company could have been a serious disaster if this came out in public.

A quick timeline of how it all happened !


June 15, 2015 : Report sent to Facebook Security team
June 16, 2015 : Bug acknowledged by Facebook Security team
June 16, 2015 : Vulnerability Fixed
June 22, 2015 : Bounty of $2500 awarded by Facebook


Hacker Anand Prakash hacked Facebook Notes feature and Facebook awarded him a $2500 bounty prize. He was able to delete notes from anybody’s account !facebook-notes

Facebook Notes being an important direction for the company could have been a serious disaster if this came out in public.

Here is how Anand did it :

Vulnerability description

Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user supplied input and uses it to retrieve an object without performing sufficient authorization checks.

Reference:  https://www.owasp.org/index.php/Top_10_2010-A4-Insecure_Direct_Object_References

Vulnerable request

POST /a/note.php?note_id=[victim’s note id]&publish&gfid=[attacker’s token]
Host: touch.facebook.com
fb_dtsg=[attacker’s token]&charset_test=&title=&body=&privacy=&=Publish&_dyn=&__user=[attacker’s userID]

Replacing note_id in the above request led to successful removal of note from victim’s account. Note id can be seen by visiting victim’s note and copying the id from the URL (source).
Leave a Reply

Sign Up for #BigDaily Newsletter

Daily.