Saturday 7 September 2013

Hacking Facebook to delete any account; Facebook again refuses to pay Bounty

In the past few days, Facebook refused to pay bounty to Khalil Shreateh, the security researcher who used the bug he discovered to post directly on Facebook CEO Mark Zuckerberg’s Timeline after Facebook Security rejected his attempts to report it.


Ehraz Ahmed, an independent Security Researcher claimed that he reported a critical vulnerability to the Facebook Security team, which allows the attacker to delete any account from Facebook.
But Facebook refuses to Pay Bug Bounty, because he tested flaw once on his friend's account, "I reported this bug to Facebook, I'm really not happy with them. After waiting for such a long time for their reply, they denied it saying that you used this bug only works for test accounts, where as I used it for removing real accounts and now the vulnerability is also fixed after their email." he said on his blog.

Video Demonstration of Exploit:


Vulnerable URL:
https://www.facebook.com/ajax/whitehat/delete_test_users.php? fb_dtsg=AQA1E-WE&selected_users[0]=[Victems Profile ID]&__user=[Attackers Profile ID]&__a=1
Where selected_users[0] and __user parameters are vulnerable to run exploit.

The hacker also claimed that using the flaw hacker was also able to delete Facebook CEO Mark Zuckerberg’s profile. For now the vulnerability is fixed by the Facebook team. Just four days before Facebook fixed another flaw that allowed hackers to delete photos of any user.

But Should these Bug Hunters now stop reporting to vendors and start selling exploits again in underground hacking forums ? 

Note: We are trying to contact the Facebook Security team to get more information about this, Stay tuned for further updates on this.

Update : According to an official statement, provided to Computerworld blog by Michael Kirkland, communications manager at Facebook, they are calling Ahmed's claim a hoax.

This is not a real bug. We've audited our code to verify that there's no variant of the proposed exploit that works against this endpoint or any other that we've found. Furthermore, we've verified in our logs that the 'test account' being used in the demonstration video was manually deactivated by visiting https://www.facebook.com/deactivate.php.

This is simply a hoax. The html source shown in the video clearly says "No test user was deleted". We've verified in our logs that the victim account was manually deactivated by visiting https://www.facebook.com/deactivate.php.

Anyone can visit https://www.facebook.com/whitehat/accounts/ and verify that the query parameter used by this endpoint is selected_test_users not selected_users. We've also audited our code to verify that there's no variant of this exploit that works against that endpoint or any other that we've found. In fact, the most recent code change to this endpoint was in April and was routine maintenance that had no security implications.

No comments:

Post a Comment