The vulnerable system is bound to the network stack and the set of possible attackers extends beyond the other options listed below, up to and including the entire Internet. Such a vulnerability is often termed “remotely exploitable” and can be thought of as an attack being exploitable at the protocol level one or more network hops away (e.g., across one or more routers). An example of a network attack is an attacker causing a denial of service by sending a specially crafted TCP packet across a wide area network (e.g., CVE-2004-0230).
Attack Complexity
Low
AC
The attacker must take no measurable action to exploit the vulnerability. The attack requires no target-specific circumvention to exploit the vulnerability. An attacker can expect repeatable success against the vulnerable system.
Privileges Required
Low
PR
The attacker requires privileges that provide basic capabilities that are typically limited to settings and resources owned by a single low-privileged user. Alternatively, an attacker with Low privileges has the ability to access only non-sensitive resources.
User Interaction
None
UI
The vulnerable system can be exploited without interaction from any human user, other than the attacker. Examples include: a remote attacker is able to send packets to a target system a locally authenticated attacker executes code to elevate privileges
Scope
Unchanged
S
An exploited vulnerability can only affect resources managed by the same security authority. In the case of a vulnerability in a virtualized environment, an exploited vulnerability in one guest instance would not affect neighboring guest instances.
Confidentiality
Low
C
There is some impact on confidentiality, but the attacker either does not gain control of any data, or the information obtained does not have a significant impact on the system or its operations.
Integrity
Low
I
Modification of data is possible, but the attacker does not have control over what can be modified, or the extent of what the attacker can affect is limited. The data modified does not have a direct, serious impact on the system.
Availability
None
A
There is no impact on the availability of the system; the attacker does not have the ability to disrupt access to or use of the system.
Facebook User ID Bypass IssueDocument Title:
===============
Facebook Bug Bounty #33 - Bypass ID user to linked Phone Number Vulnerability
References (Source):
====================
http://www.vulnerability-lab.com/get_content.php?id=1896
Release Date:
=============
2016-08-08
Vulnerability Laboratory ID (VL-ID):
====================================
1896
Common Vulnerability Scoring System:
====================================
3.5
Product & Service Introduction:
===============================
Facebook is a for-profit corporation and online social networking service based in Menlo Park, California, United States. The Facebook website was
launched on February 4, 2004 by Mark Zuckerberg, along with fellow Harvard College students and roommates, Eduardo Saverin, Andrew McCollum, Dustin
Moskovitz, and Chris Hughes. The founders had initially limited the website's membership to Harvard students; however, later they expanded it to
higher education institutions in the Boston area, the Ivy League schools, and Stanford University. Facebook gradually added support for students
at various other universities, and eventually to high school students as well. Since 2006, anyone age 13 and older has been allowed to become a
registered user of Facebook, though variations exist in the minimum age requirement, depending on applicable local laws. The Facebook name comes
from the face book directories often given to United States university students. After registering to use the site, users can create a user profile,
add other users as `friends`, exchange messages, post status updates and photos, share videos, use various applications (apps), and receive
notifications when others update their profiles. Additionally, users may join common-interest user groups organized by workplace, school, or other
topics, and categorize their friends into lists such as `People From Work` or `Close Friends`. In groups, editors can pin posts to top. Additionally,
users can complain about or block unpleasant people. Because of the large volume of data that users submit to the service, Facebook has come under
scrutiny for their privacy policies. Facebook, Inc. held its initial public offering (IPO) in February 2012, and began selling stock to the public
three months later, reaching an original peak market capitalization of $104 billion. On July 13, 2015, Facebook became the fastest company in the
Standard & Poor's 500 Index to reach a market cap of $250 billion. Facebook has more than 1.65 billion monthly active users as of March 31, 2016.
(Copy of the Homepage: https://en.wikipedia.org/wiki/Facebook )
Abstract Advisory Information:
==============================
Two independent vulnerability laboratory researchers discovered a bypass and validation vulnerability in the Facebook online service web-application & mobile api.
Vulnerability Disclosure Timeline:
==================================
2016-04-02: Researcher Notification & Coordination (SaifAllah benMassaoud & Zahid Mehmood)
2016-04-03: Vendor Notification (Facebook Whitehat Security Team)
2016-04-09: Vendor Response/Feedback (Facebook Whitehat Security Team)
2016-05-20: Vendor Fix/Patch (Facebook Developer Team)
2016-05-21: Security Acknowledgements (Facebook Whitehat Security Team - Bounty: 1500$)
2016-08-08: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Affected Product(s):
====================
Facebook
Product: Mobile Web Application (API) 2016 Q2
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Technical Details & Description:
================================
The bypass user id web vulnerability has been discovered in the official Facebook online service web-application & mobile api.
The vulnerability allows remote attackers to determine which specific Facebook user ID is linked with a mobile phone number
without secure approval. The vulnerability is located in the `ctx" and `recover` `lwv` parameters and `/login/identify` modules.
Attackers can setup the privacy settings, who can look me up using a phone number? Set it to Friends Only, the attacker is able
to bypass that security approval to preview.
The security risk of the bypass user id vulnerability is estimated as medium with a cvss (common vulnerability scoring system) count of 3.5.
Exploitation of the vulnerability allows an attacker to determine which specific facebook user ID is linked with the mobile phone number.
Vulnerable Module(s):
[+] /login/identify
Vulnerable Parameter(s):
[+] ctx
[+] recover
[+] lwv
Proof of Concept (PoC):
=======================
The bypass user id issue can be exploited by remote attackers to determine which specific Facebook user ID is linked to a mobile phone number.
For security demonstration or to reproduce the security vulnerability follow the provided information and steps below to continue.
Manual steps to reproduce the vulnerability ...
1. Open the following url with ssl
Note: https://www.facebook.com/login/identify?ctx=recover&lwv=111
2. Type phone number in the box (Email, Phone, Username or Full Name)
Note: For example, i am attacking one of my test facebook IDs, where i turn on my privacy settings to `Who can look you up using the phone number you provided?`(Friends Only).
No one can see my profile name etc ... Type a number in the box (The facebook account you're attacking only has a mobile phone number added). In my case i used my test id and click on `Serach`
3. Now the attacker clicks to `No Longer have access to these?`
4. Type "New Email" Confirm "New Email"
5. Now `Fill in the form` with fake information and process to `Submit`
Note: You will receive a response from facebook to your email ibox that confirms the issue.
Solution - Fix & Patch:
=======================
The vulnerability was addressed by the facebook developer team during the updates 2016-05-20.
Security Risk:
==============
The security risk of the `./login/identify` bypass user id vulnerability is estimated as medium. (CVSS 3.5)
Credits & Authors:
==================
SaifAllah benMassaoud & Zahid Mehmood - ( http://www.vulnerability-lab.com/show.php?user=SaifAllahbenMassaoud )
Disclaimer & Information:
=========================
The information provided in this advisory is provided as it is without any warranty. Vulnerability Lab disclaims all warranties, either expressed or implied,
including the warranties of merchantability and capability for a particular purpose. Vulnerability-Lab or its suppliers are not liable in any case of damage,
including direct, indirect, incidental, consequential loss of business profits or special damages, even if Vulnerability-Lab or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing
limitation may not apply. We do not approve or encourage anybody to break any licenses, policies, deface websites, hack into databases or trade with stolen data.
Domains: www.vulnerability-lab.com - www.vuln-lab.com - www.evolution-sec.com
Contact: [email protected] - [email protected] - [email protected]
Section: magazine.vulnerability-lab.com - vulnerability-lab.com/contact.php - evolution-sec.com/contact
Social: twitter.com/vuln_lab- facebook.com/VulnerabilityLab - youtube.com/user/vulnerability0lab
Feeds: vulnerability-lab.com/rss/rss.php - vulnerability-lab.com/rss/rss_upcoming.php - vulnerability-lab.com/rss/rss_news.php
Programs: vulnerability-lab.com/submit.php - vulnerability-lab.com/list-of-bug-bounty-programs.php - vulnerability-lab.com/register.php
Any modified copy or reproduction, including partially usages, of this file requires authorization from Vulnerability Laboratory. Permission to electronically
redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Vulnerability-Lab Research Team or
its suppliers. All pictures, texts, advisories, source code, videos and other information on this website is trademark of vulnerability-lab team & the specific
authors or managers. To record, list, modify, use or edit our material contact (admin@ or [email protected]) to get a ask permission.
Copyright A(c) 2016 | Vulnerability Laboratory - [Evolution Security GmbH]aC/
--
VULNERABILITY LABORATORY - RESEARCH TEAM
SERVICE: www.vulnerability-lab.com
This information is provided for TESTING and LEGAL RESEARCH purposes only. All trademarks used are properties of their respective owners. By visiting this website you agree to Terms of Use and Privacy Policy and Impressum