// // 1 comment

facebook vulnerability 2013

Click here to share This article on facebook

Facebook Exploit [ post to facebook users even they are not in friendl list] August-2013


Name : Khalil Shreateh  


Address : Yatta-Hebron/Palestine

Job : unemployee :/

Days ago i discovered a serious facebook vulnerability that allows a facebook user to post to all facebook users timeline even they are not in his friend list .

 

i report that exploit through whitehat --> www.facebook.com/whitehat

this email shows my report including facebook security replay : -



Hi Ḱhalil,
I dont see anything when I click link except an error.
Thanks,

Emrakul
Security
Facebook

-----Original Message to Facebook-----
From: kha
****@hotmail.com
To:
Subject: post to facebook users wall .

Name: Ḱhalil
E-Mail: khal
****@hotmail.com
Type: privacy
Scope: www
Description: dear facebook team .

my name is khalil shreateh.
i finished school with B.A degree in Infromation Systems .

i would like to report a bug in your main site (www.facebook.com) which i discovered it .

repro:
the bug allow facebook users to share links to other facebook users , i tested it on sarah.goodin wall and i got success post
link - > https://www.facebook.com/10151857333098885
-----End Original Message to Facebook-----

describing to them about the exploit with a link to facebook post that i made to Sarah Goodin's timeline

Sarah Goodin is the girl that was in the same college with Mark Zuckerberg .

this picture shows the post .





facebook security replay was that the link gives error opening , if course they didnt use their authority to view sarah's privacy posts as sarah share her timeline posts with her friends only , i was able to view that post cause i'am the one who did post it even i'am not in her friend list . that what i told them in a replay and i also told them i may post to  Mark Zuckerberg timelime as this picture shows :  





as usual they ignored my replay so i did report another , this email shows their replay to my second report including the report :



Hi Ḱhalil,

I am sorry this is not a bug.
Thanks,

Emrakul
Security
Facebook

-----Original Message to Facebook-----
From: khali***@hotmail.com
To: 
Subject: urgent : post to non friends facebook users wall . 
Name: Ḱhalil
E-Mail: kh***@hotmail.com
Type: privacy

Scope: www

Description: dear facebook team . 
my name is khalil shreateh. 
i finished school with B.A degree in Infromation Systems . 
i would like to report a bug in your main site (www.facebook.com) which i discovered. 
i'am reporting this bug for the second time.
repro:
the vulnerability allow's facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post 
link - > https://www.facebook.com/10151857333098885 
of course you may cant see the link because sarah's timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority . 
this is a picture shows that post : 
https://fbcdn-sphotos-h-a.akamaihd.net/hphotos-ak-ash4/q71/s720x720/999429_10151857336258885_2061448780_n.jpg
-----End Original Message to Facebook-----

i told them that sarah shares her timeline with her friends only as i also sent them a picture shows the post i made to sarah's time line , their replay was " sorry this is not a bug " , so i replay back and i said that i has no choice than to post to Mark Zuckerberg's timeline .  




so i did post post to Mark Zuckerberg's timeline , as those pictures shows :






i told him about the exploit and all the report i sent with a link to the last report including facebook security replay , minutes after a facebook security engineer  Ola Okelola    comment on my picture on facebook asking me to send him all the details about the exploite :



you can see the conversation on this link :  https://www.facebook.com/10151865722018885

a minute after that i got my account disabled ,as they said facebook has all the right to disable any facebook account without any reason given , i made another report asking facebook security to reactivate my account , this is the email shows my report including their replay :

Dear Khalil,

Facebook disabled your account as a precaution. When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions.

We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site.

We have now re-enabled your Facebook account.

Joshua
Security Engineer
Facebook
-----Original Message to Facebook-----
From: khalil1828@hotmail.com
To: 
Subject: bypass facebook posts to timeline privacy

Name: Khalil Khalil
E-Mail: khalil1828@hotmail.com
Type: privacy
Scope: www
Description: ok , this is the third time i report this bug , 

i know that you guys now know that it’s a bug for sure after 
facebook.com/ola deactivate my account which is facebook.com/khalil.iz.sh

i want my account back soon as possible , as i report the bugs for you and i didnt use another fake accounts or test accounts to break privacy .

although my account contains important messages that some of my friends need them back .

https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-ash3/1174822_10200988067716575_1496625129_n.jpg

repro:

this the last post i made before " www.facebook.com/ola " deactivate my account ,
i had no choice after you guys replay twice back again to me that this is not a bug . 

https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-prn1/543398_10151865722018885_1202186069_n.jpg

-----End Original Message to Facebook-----

i replay back that facebook report page has a " prove concept " and i cant prove without sending pictures or video . that is bullshit

after my second report i record this video which shows the exploit , i was rush recording it cause they was able to close that exploit in any second :



 

1 comment: