Skip to main content

Authentication Bypass Leads to Unauthorized Data Access for Linked Facebook, Instagram, and Meta Accounts ($5000 Bounty)

Vulnerability Report

Hello,

Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows attackers to gain unauthorized access to victims' account data, affecting Meta's primary technologies (Facebook, Instagram, and Meta accounts).

To understand this bug, it's essential to grasp what is the Account Center.

The Account Center, provided by Meta, offers users a unified interface to manage and integrate their experiences across Facebook, Instagram, and other Meta services. It centralizes settings, permissions, and account data management, streamlining the handling of multiple linked accounts under the Meta umbrella. For more information about the Account Center, you can visit here.

Sensitive Data Transfer Feature

One of the features of Account Center is the ability to download or transfer the data of your accounts, including those of other linked accounts. This data is extremely sensitive and can include:

  • Personal messages
  • Photos and videos
  • Friends and followers lists
  • Login and session data
  • Payment information

Given the sensitivity of this data, robust security measures are expected to be in place to protect it from unauthorized access.

Exploiting the Vulnerability: Unauthorized Data Transfer

I assumed the scenario of gaining access to a victim's Facebook account, which is linked with Instagram and Meta accounts. I then attempted to access the data of these other linked accounts.

  1. I navigated to the Account Center data download page.
  2. Attempting to download the data of the linked Instagram and Meta accounts, I was prompted for the passwords of these accounts.
  3. Initially, I entered the correct password and captured the successful response.
  4. Subsequently, I tried again, entering incorrect passwords and manipulating the response with the previously captured successful response. This method did not work for direct downloads.

However, there was an option to transfer the data to cloud services like Google Drive or Dropbox. I exploited this feature:

  1. I initiated the data transfer and was prompted for the passwords of the linked Instagram and Meta accounts.
  2. I entered incorrect passwords, intercepted the request, and manipulated the response with the previously captured successful response.

And just like that, the transfer started, and I received all the victim's Instagram and Meta account data in my drive without knowing the passwords for those accounts.

This bug also works across other platforms. For instance, if an attacker gains access to a victim's Instagram account, they can transfer the data of linked Facebook and Meta accounts. Similarly, if an attacker gains access to a victim's Meta account, they can transfer the data of linked Facebook and Instagram accounts.

Steps to Reproduce

Victim's Side:

  1. The victim has connected Instagram, Facebook, and Meta accounts.

Attacker's Side:

  1. The attacker gains access to the victim's Facebook account.
  2. The attacker navigates to Account Center data download page.
  3. The attacker initiates a transfer of all the victim's account information to their Google Drive.
  4. The system prompts for the Instagram and Meta passwords.
  5. The attacker enters any random password and intercepts the request.
  6. The attacker replaces the response body with: 
    {"data":{"fxcal_reauth_v2":{"success":true,"error_data":null,"error_state":null}},"extensions":{"is_final":true}}
  7. The transfer starts, and the attacker waits for it to finish.
  8. The attacker opens their drive and finds they have received all the victim's account data.

Proof of Concept Video

For a detailed demonstration, refer to the POC video here.

Impact

This vulnerability allows an attacker to gain unauthorized access to sensitive user data from linked Facebook, Instagram, and Meta accounts. By exploiting this flaw, an attacker can bypass the security mechanisms meant to protect this data, leading to potential privacy breaches and misuse of personal information.

Timeline:

  • May 6, 2024: Reported
  • May 22, 2024: Triaged
  • May 29, 2024: Bounty Rewarded ($5000)

Comments

Post a Comment

Popular posts from this blog

Critical Privilege Escalation Vulnerability in Teleport ($21,000)

Teleport | Report #2281075 | HackerOne Link to YouTube Video 259 #2281075 Copy report id Copy report id access list owner can escalate his role to the highest roles Add Hacker summary Timeline ยท export moaz219 submitted a report to Teleport . December 11, 2023, 6:28pm UTC Menu Menu Summary: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list and add a role to "Roles Granted," e.g., "reviewer" role. Add a user as the Access List Owner. The user, as the Access List Owner, can escalate the role of the list to higher roles, thereby escalating their own account's role. This is a prohibited procedure, as stated here , that Owners are not able to control what roles and traits are granted by the Access List. Steps To Reproduce: From Organization Owner Account: Go to [your-domain.teleport.sh/web/accesslists]. Create a new access list. Add a user as List Owner. Add a role to "R...
Post a Comment
Read more

Facebook SMS-based Two-Factor Authentication Bypass ($2,500 Bounty)

Vulnerability Report - Meta Bug Bounty Program Hello, Today, I'm sharing a vulnerability I discovered in Meta's bug bounty program. This vulnerability allows attackers to disable SMS-based Two-Factor Authentication for the victim's Facebook account. Prerequisites for Understanding the Vulnerability To understand this vulnerability, it's necessary to understand a few key concepts first. 1. Account Center: The Account Center, provided by Meta, offers users a unified interface to manage and integrate their experiences across Facebook, Instagram, and other Meta services. It centralizes settings, permissions, and account data management, streamlining the handling of multiple linked accounts under the Meta umbrella. For more information about the Account Center, you can visit this page . 2. Facebook SMS-based Two-Factor Authentication: On Facebook, if you have a phone number linked to your account and have SMS-...
Post a Comment
Read more