Note: This is being published with the permission of Facebook under the responsible disclosure policy. The vulnerability is now fixed.
This blog post is about an Insecure direct object reference vulnerability in Facebook Notes, using which the attacker could have removed all your notes just by replacing his Note id with yours in note editing request.
About Facebook Notes
Facebook Notes are writing entries about your life, thoughts, or all-time favorite songs and then sharing them with your Facebook friends. The beauty of Notes lies in the ability to blog without needing to distribute a web address to friends so they can go check out your blog. Instead, your friends are connected to your Profile. Therefore, when you publish a Note, it appears in your News Feed.
About the Vulnerability
Insecure Direct Object References occur when an application provides direct access to objects based on user-supplied input. As a result of this vulnerability, attackers can bypass authorization and access resources in the system directly, for example, database records or files.
Insecure Direct Object References allow attackers to bypass authorization and access resources directly by modifying the value of a parameter used to directly point to an object. Such resources can be database entries belonging to other users, files in the system, and more. This is caused by the fact that the application takes user-supplied input and uses it to retrieve an object without performing sufficient authorization checks. For more information, refer here.
POST /a/note.php?note_id=[victim’s note id]&publish&gfid=[attacker’s token]
fb_dtsg=[attacker’s token]&charset_test=&title=&body=&privacy=&=Publish&_dyn=&__user=[attacker’s userID]
Replacing note_id in the above request led to the successful removal of the note from the victim’s account. Note id can be seen by visiting the victim’s note and copying the id from the URL.
Video Proof Of Concept:
June 15, 2015: Report sent to Facebook Security team
June 16, 2015: Bug acknowledged by Facebook Security team
June 16, 2015: Vulnerability Fixed
June 22, 2015: Bounty of $2500 was awarded by Facebook