lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 11 Feb 2015 10:10:31 -0500
From: Scott Arciszewski <scott@...iszewski.me>
To: Vulnerability Lab <research@...nerability-lab.com>
Cc: fulldisclosure@...lists.org
Subject: Re: [FD] Facebook Bug Bounty #23 - Session ID & CSRF Vulnerability

>
> Security Risk:
> ==============
> The security risk of the security vulnerability in the facebook framework
> is estimated as critical. (CVSS 9.1)
>

Care to run that calculation by us?

On Wed, Feb 11, 2015 at 9:53 AM, Vulnerability Lab <
research@...nerability-lab.com> wrote:

> Document Title:
> ===============
> Facebook Bug Bounty #23 - Session ID & CSRF Vulnerability
>
>
> References (Source):
> ====================
> http://www.vulnerability-lab.com/get_content.php?id=1432
>
> Facebook Security ID: 10202805822321483
>
> Video: https://www.youtube.com/watch?v=SAr2AGLrBkQ
>
> Vulnerability Magazine:
> http://magazine.vulnerability-db.com/?q=articles/2015/02/03/facebook-security-12500-bug-bounty-reward-security-researcher
>
>
> Release Date:
> =============
> 2015-02-03
>
>
> Vulnerability Laboratory ID (VL-ID):
> ====================================
> 1432
>
>
> Common Vulnerability Scoring System:
> ====================================
> 9.1
>
>
> Product & Service Introduction:
> ===============================
> Facebook is an online social networking service, whose name stems from the
> colloquial name for the book given to students
> at the start of the academic year by some university administrations in
> the United States to help students get to know
> each other. It was founded in February 2004 by Mark Zuckerberg with his
> college roommates and fellow Harvard University
> students Eduardo Saverin, Andrew McCollum, Dustin Moskovitz and Chris
> Hughes. The website`s membership was initially limited
> by the founders to Harvard students, but was expanded to other colleges in
> the Boston area, the Ivy League, and Stanford University.
> It gradually added support for students at various other universities
> before opening to high school students, and eventually to anyone
> aged 13 and over. Facebook now allows any users who declare themselves to
> be at least 13 years old to become registered users of the site.
>
> Users must register before using the site, after which they may create a
> personal profile, add other users as friends, and exchange messages,
> including automatic notifications when they update their profile.
> Additionally, users may join common-interest user groups, organized by
> workplace,
> school or college, or other characteristics, and categorize their friends
> into lists such as `People From Work` or `Close Friends`. As of
> September 2012, Facebook has over one billion active users, of which 8.7%
> are fake. According to a May 2011 Consumer Reports survey, there are
> 7.5 million children under 13 with accounts and 5 million under 10,
> violating the site`s terms of service.
>
> In May 2005, Accel partners invested $12.7 million in Facebook, and Jim
> Breyer added $1 million of his own money to the pot. A January 2009
> Compete.com study ranked Facebook as the most used social networking
> service by worldwide monthly active users. Entertainment Weekly included the
> site on its end-of-the-decade `best-of` list, saying, `How on earth did we
> stalk our exes, remember our co-workers` birthdays, bug our friends,
> and play a rousing game of Scrabulous before Facebook?` Facebook
> eventually filed for an initial public offering on February 1, 2012, and was
> headquartered in Menlo Park, California. Facebook Inc. began selling stock
> to the public and trading on the NASDAQ on May 18, 2012. Based on its
> 2012 income of USD 5.1 Billion, Facebook joined the Fortune 500 list for
> the first time, being placed at position of 462 on the list published in
> 2013.
>
> (Copy of the Homepage: http://en.wikipedia.org/wiki/Facebook )
>
>
> Abstract Advisory Information:
> ==============================
> An independent Vulnerability Laboratory researcher discovered a session
> manipulation vulnerability and csrf bug in the official Facebook online
> service web-application.
>
>
> Vulnerability Disclosure Timeline:
> ==================================
> 2015-02-03:     Public Disclosure (Vulnerability Laboratory)
>
>
> Discovery Status:
> =================
> Published
>
>
> Affected Product(s):
> ====================
> Facebook
> Product: Framework - Content Management System 2015 Q1
>
>
> Exploitation Technique:
> =======================
> Remote
>
>
> Severity Level:
> ===============
> Critical
>
>
> Technical Details & Description:
> ================================
> A remote session validation vulnerability and cross site request forgery
> bug has been discovered in the official Facebook online service
> web-application.
> The vulnerability allows to execute functions without secure validation to
> compromise user content in the online service web-application of facebook.
>
> Th vulnerability is located in the comment id and legacy id of the
> comments function. Remote attackers with low privileged user accounts are
> able to delete
> postings of other users without auth. The attacker can intercept the
> session and exchanged the comment and legacy id to delete or add for
> example comments.
> The issue is known as critical and impact a high risk to other user
> account. To manipulate the attacker needs to intercept the session to
> manipulate the
> legacy and comment ids.
>
> The security risk of the session validation vulnerability and csrf issue
> is estimated as critical with a cvss (common vulnerability scoring system)
> count of 9.1.
> Exploitation of the vulnerability requires a low privileged application
> user account and no user interaction. Successful exploitation of the
> vulnerability results
> in unauthorized delete or add of user content in the comments function of
> facebook.
>
> Vulnerable Module(s):
>                                 [+] Comments
>
> Vulnerable Parameter(s):
>                                 [+] comment_id
>                                 [+] legacy id
>
>
> Proof of Concept (PoC):
> =======================
> The session manipulation vulnerability can be exploited by remote
> attackers with low privileged application user account and without user
> interaction.
> For security demonstration or to reproduce the security vulnerability
> follow the provided information and steps below to continue.
>
> Manual steps to reproduce the vulnerability ...
>
> 01. Login to your facebook account
> 02. Put a comment anywhere to a random post
> 03. Remove your comment by usage of the standard function in facebook
> 04. Capture the headers information on requesting to delete
> 05. Go to the victim account (any account not friend or there friends)
> because the issue works to both
> 06. Like his comment and capture the request by intercepting the values
> 07. Change your comment id with the victim comment id that you and change
> the legacy id
> 08. Replay the tampered request with the manipulated values
> 09. Now the comment will be unauthorized removed
> 10. Successful reproduce of the security vulnerability that allows to
> delete any comment of other users. thanks!
>
>
> Solution - Fix & Patch:
> =======================
> The vulnerability has been patched due to the year 2014 by the facebook
> developer team. The issue was allowed to release in 2015 Q1.
> The researcher received a reward amount of 12.500$ by the bug bounty
> program of the facebook whitehat team.
>
>
> Security Risk:
> ==============
> The security risk of the security vulnerability in the facebook framework
> is estimated as critical. (CVSS 9.1)
>
>
> Credits & Authors:
> ==================
> Joe Balhis (https://www.facebook.com/joe.balhis)
>
>
> Disclaimer & Information:
> =========================
> The information provided in this advisory is provided as it is without any
> warranty. Vulnerability Lab disclaims all warranties, either expressed
> or implied, including the warranties of merchantability and capability for
> a particular purpose. Vulnerability-Lab or its suppliers are not liable
> in any case of damage, including direct, indirect, incidental,
> consequential loss of business profits or special damages, even if
> Vulnerability-Lab
> or its suppliers have been advised of the possibility of such damages.
> Some states do not allow the exclusion or limitation of liability for
> consequential or incidental damages so the foregoing limitation may not
> apply. We do not approve or encourage anybody to break any vendor licenses,
> policies, deface websites, hack into databases or trade with fraud/stolen
> material.
>
> Domains:    www.vulnerability-lab.com           - www.vuln-lab.com
>                               - www.evolution-sec.com
> Contact:    admin@...nerability-lab.com         -
> research@...nerability-lab.com                        -
> admin@...lution-sec.com
> Section:    magazine.vulnerability-db.com       -
> vulnerability-lab.com/contact.php                     -
> evolution-sec.com/contact
> Social:     twitter.com/#!/vuln_lab             -
> facebook.com/VulnerabilityLab                         -
> youtube.com/user/vulnerability0lab
> Feeds:      vulnerability-lab.com/rss/rss.php   -
> vulnerability-lab.com/rss/rss_upcoming.php            -
> vulnerability-lab.com/rss/rss_news.php
> Programs:   vulnerability-lab.com/submit.php    -
> vulnerability-lab.com/list-of-bug-bounty-programs.php -
> vulnerability-lab.com/register/
>
> Any modified copy or reproduction, including partially usages, of this
> file requires authorization from Vulnerability Laboratory. Permission to
> electronically redistribute this alert in its unmodified form is granted.
> All other rights, including the use of other media, are reserved by
> Vulnerability-Lab Research Team or its suppliers. All pictures, texts,
> advisories, source code, videos and other information on this website
> is trademark of vulnerability-lab team & the specific authors or managers.
> To record, list (feed), modify, use or edit our material contact
> (admin@...nerability-lab.com or research@...nerability-lab.com) to get a
> permission.
>
>                                 Copyright © 2015 | Vulnerability
> Laboratory - [Evolution Security GmbH]™
>
>
>
> --
> VULNERABILITY LABORATORY - RESEARCH TEAM
> SERVICE: www.vulnerability-lab.com
> CONTACT: research@...nerability-lab.com
> PGP KEY:
> http://www.vulnerability-lab.com/keys/admin@vulnerability-lab.com%280x198E9928%29.txt
>
>
>
> _______________________________________________
> Sent through the Full Disclosure mailing list
> https://nmap.org/mailman/listinfo/fulldisclosure
> Web Archives & RSS: http://seclists.org/fulldisclosure/

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ