This is how i was able to See and Delete your Private Facebook Portal photos

About Facebook Portal

Description

Impact

Story

Repro Steps

UserA Steps

  • Clicked on upload button, selected an image and clicked on “Add 1 Photo”.
  • Clicked on “New Album” to upload that selected image in newly created album.
  • Just after uploading the image i got the details of uploaded media in request response like Media ID, CDN Url, etc.
  • Copied that Media ID from response to test it further.

UserB Steps

  • Did everything same as UserA but this time i noticed something new.
  • While checking all the requests in HttpCanary, I’ve found this endpoint which creates the Album, but most importantly some of the parameters were empty, Mainly “album_media_ids” was empty.
  • I was curious to know what will happen if i append/add UserA’s Media ID in this empty array/list.
  • I immediately replaced [] with [“135XXXXXXXXXX39”] where 135XXXXXXXXXX39 was UserA’s Media ID and sent the request.
  • Well it didn’t gave me any error like “You are not allowed to perform this action” or “You are not allowed to access/upload this media” instead gave a valid response with media CDN url just because it was not verifying the Owner ID of that particular Media in backed, due to this misconfiguration it was vulnerable to an IDOR attack.
  • When i opened UserB’s Facebook Portal app, saw that UserA’s Photo has been added in newly created album.
  • Well now i decided to delete the Photo from UserB’s newly created album to see what will happen in UserA’s account.
  • I immediately deleted that photo from UserB’s album and checked UserA’s account.
  • Well! Well! Well, The photo was deleted from UserA’s album too.
  • I stopped the testing process and made the vulnerability report to Facebook WhiteHat program.

Bonus

Timeline

--

--

--

Infosec Stuffs! :)

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

Deep Dive :AWS STS

{UPDATE} Call break Hack Free Resources Generator

99DEFI AIRDROP EVENT

Go-Live Proposal for Distributed Privacy-Preserving AI Network PlatON Mainnet Approved

Countering Phishing Emails You Need To Learn Now — 8 Tips

20 Million Gamers in Latin America Will be Protected by Coinplug’s DID Technology

Hide a Pigeon Pair for Verkle Tree Cryptography

{UPDATE} Rival Robot Bike Racing Hack Free Resources Generator

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Abhishek Pathak

Abhishek Pathak

Infosec Stuffs! :)

More from Medium

Internet-Wide Study: State Of SPF, DKIM, And DMARC — RedHunt Labs

Password Attacks WriteUp TryHackMe

Port Swigger Lab-SQL injection vulnerability in WHERE clause allowing retrieval of hidden data

HTB: Writeup — Forge