So you want to bash stuff together to snag that bounty on Facebook? You wonder
Why am I so stuck? Where is the bug? What’s wrong with the access token? What are my permissions? Why am I slamming my head on this computer. Where is the Secret Sauce? You got the books, you got the tools, you got the gin, now where to flex your powers yo?
Dropping some knowledge from resources already out there, hopefully over time this gets more detailed.
THE UNOFFICIAL FACEBOOK TREASURE MAP
(Last Updated: Thursday June 2nd 2016)
What it does: The Graph API is an interface utilising various calls through http://graph.facebook.com/ . The calls that we will use are either publicly accessible or need some form of authorisation via an access token. The access token is your key to city, but each city has different keys. So get it right and be sure you know where you at. Start by using a user access token . This can be used to make requests to the Facebook API on behalf of the user. Most of the time, this is all you need
What to look for: See if API calls are missing authorisation checks. The current version of the API 2.6 with the change log listed at https://developers.facebook.com/doc… . Also look for leaks in data, is the call really supposed to be showing that specific resource? Can you delete all of Justin’s photos?
Sample Bounty: $10,000 USD http://www.7xter.com/2015/03/how-i-exposed-your-private-photos.html
What it does: It’s Graph API over level 9000 basically. Any request you can do via facebook.com you can probably do it here. Watch this video for more information https://www.youtube.com/watch?v=9sc… . Most of the calls are done via Facebook native mobile applications, it’s becoming more visible at messenger.com and facebook.com.
What to look for: Mainly leaks of data you shouldn’t be seeing. You wouldn’t be able to get away with those low hanging fruits for authorisation checks like in graph.facebook.com. Getting these calls to work for you will probably be a task on its own (cert pinning in Facebook mobile applications). So patience and a lot of testing is needed here. There is no documentation since this is Facebook’s internal API. The rest is up to you.
Sample Bounty: $5,500 USD https://medium.com/@rajsek/my-3rd-f…
What it does: There are various uses for lookaside.*.com as can be seen at lookaside.fbsbx.com for file attachments.
What to look for: You’re really just going to have to dig in and see here. Proxies are some possible avenues.
Sample Bounty: http://arunsureshkumar.me/index.php…
What it does: This is where you can bulk edit ad data as well as manage business entities. There are various calls and data moving around here with some dipping in http://graph.facebook.com/ for API Ad Object calls. Instagram advertising can be done from here as well.
What to look for: Facebook is in the business of Ads. So see what’s up with the Ads. Look for payment information being disclosed. Ad accounts should be scoped only to the roles assigned to users. Here is the permission table https://www.facebook.com/business/h…
Sample Bounty: $8000 USD https://pouyadarabi.blogspot.com/20…
What it does: The hub for Facebook third party developers to read documentation (but they never do!). If you hate reading, this probably isn’t for you, however there is no where else you will get the depth of information listed about API calls and other features in Facebook
What to look for: Each version bump of the API there is a change to the documentation and sometimes there are mistakes. You can also look at the bottom of the page to see the last updated time. Keep an eye on closed bugs at developers.facebook.com/bugs you never know which one is actually a latent security bug. Also there are a few tools included that you can play around with https://developers.facebook.com/too…
Sample Bounty: $4500 USD http://roy-castillo.blogspot.com/20…
What it does: A mini site for developers working with the Marketing API. There are code samples as well as a sample reference application here.
What to look for: See if there is any leakage of data here as mostly businesses will be passing through this site
Sample Bounty: $3500 USD http://philippeharewood.com/facebookmarketingdevelopers-com-proxies-csrf-quandry-and-api-fun/
What it does: A site that showcases creative agenicies’ work using Facebook as marketing platform.
What to look for: CSRF and Authorizations to use the site. This site has changed a bit over the years so there may be some old pages lying around.
Sample Bounty: https://whitton.io/articles/content…
What it does: Serves content viaAkamai which can be accessed via various domains but usually fbcdn.net.
What to look for: This is an area that you will first have to understand where your photo of baby or kitten on your newsfeed goes after you upload it. Did you really upload a photo? Are photos the only content allowed in this domain? Is this the only domain serving the kitten content?
Sample Bounty: https://whitton.io/articles/xss-on-…
What it does: Facebook’s internal network where employees turn those gears so you can scroll past that “10 Things You Love About Potatoes” BuzzFeed article one more time.
What to look for: If you can get in look for tools that disclose employee or user data, just be aware of your ethical boundaries
Vulnerabilities you shouldn’t write about
The friend list issue seems to be an always "won’t fix". I’m pretty sure every few or so security researchers, testers reach this "vulnerability" in one method or another. I’ve gotten a similar response from the Security Team for trying to dig up friend lists. Maybe it helps maybe it doesn’t.
I’ve learned to accept the stance and move on with other security holes.
"A friend connection is two-way – you friend someone, then they approve the friend request. In essence, a friend connection means both "Kanye considers Kim a friend" and "Kim considers Kanye a friend". In other words, both people involved have some ownership over this claim – which means the privacy isn’t always as simple as with other content.""Let me use the third example in your screenshots to illustrate. Mark Zuckerberg’s friend list is not public. But Peter Thiel’s friend list is public – meaning if you pull up Peter’s friends, you can see Mark in the list. You can also see Kevin Scott is in the list. Kevin’s friend list isn’t public… but Stuart Gillette’s is, so you can see Kevin show up there. Consequently, using fb:degrees hasn’t shown you any information you couldn’t theoretically figure out by looking at public friend lists – it’s just made it easier to find that info."
"Now I that at first glance this might appear to be inconsistent or a privacy violation. But remember what I said earlier about the two parties involved in a friendship connection. Essentially, you’re free to hide the fact that you consider Kim a friend, but it’s also Kim’s choice to publicise that he counts you as a friend – and hiding connections he’s publicised would essentially override his privacy wishes. In some cases, such as with fb:degrees, we show connections if they’re visible to you on at least one side of the friendship."
"Now, if Mark’s list is private and all of his friends set their lists to private too, you should never get a result. In that case, any final link in the chain connecting you to Mark would involve a friendship that was hidden to you from both sides of the connection, so we wouldn’t display it to you."
"A common case where we get similar reports is the "friendship page" between two people – we show mutual friends of the two people if each of the two friend connections is visible to you on at least one side, but we hide any mutual friends where one of the connections is hidden on both sides. To help clarify some of these situations, we added this description to the friend list privacy setting: "Remember: Your friends control who can see their friendships on their own timelines. If people can see your friendship on another timeline, they’ll be able to see it in news feed, search and other places on Facebook. They’ll also be able to see mutual friends on your timeline."
“This is a case where privacy can get complicated, but we think the way we’ve chosen to operate is a good balance of the competing priorities involved. We’ve also chosen to focus more on privacy controls around your content and personal information, since trying to maintain privacy by limiting discoverability is often an illusion. Since Facebook is a network designed for social participation, it’s nearly impossible for it to work properly and let people stay completely hidden – there are many ways to discover a profile or friendship beyond friend lists or searches. But even if someone discovers your profile, you have a great degree of control about what they can then access.I hope that helps clarify what you were observing here”