Detailed Technical Analysis of "IDOR Facebook | Malicious Person Add People To The Top Fans"

Overview:
This bug bounty write-up by UpdateLap outlines a critical Insecure Direct Object Reference (IDOR) vulnerability in Facebook that allowed an attacker to manipulate a user's Top Fans list. The attack demonstrates how improper authorization checks can lead to significant security breaches, particularly in prominent social networks like Facebook.

Key Technical Details:

1. Understanding IDOR:
   IDOR vulnerabilities occur when user inputs can directly reference database objects without proper authorization checks. This results in unauthorized access or modification of data.

2. Vulnerability Discovery:
   The researcher discovered that they could use the following Facebook Graph API endpoint to modify the Top Fans list: plaintext POST https://graph.facebook.com/<page_id>/top_fans By manipulating the page_id and user_id parameters in the request, the researcher was able to add arbitrary users to the Top Fans list of any Facebook page.

3. Manipulating the Graph API Request:

4. Required Parameters:
   • page_id: The ID of the Facebook page.
   • user_id: The ID of the user to be added.
5. The request overlooked the authorization of whether the person making the request had the right to modify a specific page's Top Fans list.

Example cURL request: bash curl -X POST \ -F "page_id=<target_page_id>" \ -F "user_id=<target_user_id>" \ -F "access_token=<your_access_token>" \ "https://graph.facebook.com/<page_id>/top_fans" Despite needing an access token, the vulnerability stems from the inadequate checking of whether the access token holder has the right to add users to the specified page’s Top Fan list.

1. Exploitation of the Vulnerability:
2. Token Acquisition: The attacker needs their access token, which does not need high privileges.

3. Parameter Tampering: By changing the page_id to a page managed by someone else and user_id to the target user ID, the unauthorized addition to the Top Fans list is executed.

4. Impact Assessment:

5. Privacy & Trust Violations: Users could be falsely represented as fans of pages they have no association with, leading to privacy concerns.
6. Reputation Damage: Pages might unwillingly bear the appearance of false popularity or association with certain individuals.

7. Potential for Abuse: Malicious actors could misuse this for social engineering attacks, spam, or misinformation.

8. Fix Implementation:

9. Authorization Checks: Facebook promptly fixed the issue by ensuring that the API endpoints perform proper authorization checks, ensuring that only legitimate page admins can modify the Top Fans list of their pages.
10. Token Scope Enforcement: Strengthening the scope and permissions associated with access tokens might help mitigate such vulnerabilities.

Key Takeaways:

• Robust Authorization Mechanisms: Ensure strict authorization checks in API endpoints to prevent IDOR vulnerabilities. Every user action that manipulates data associated with different users must verify the action's legitimacy.
• Parameter Handling: Carefully handle user-controlled parameters that reference database objects or other resources directly.
• Awareness & Reporting: Bug bounty programs play a crucial role in uncovering and fixing security loopholes in large and complex platforms like Facebook. Security researchers are instrumental in maintaining the platform's security posture.

Conclusion:

The write-up highlights the susceptibility of even well-established platforms like Facebook to common vulnerabilities such as IDOR. It underscores the need for meticulous security practices in API design and the importance of collaborative security efforts through bounty programs. This case adds to the larger narrative of maintaining security hygiene in user-centric applications, especially social networks.

For detailed steps and insights, refer to the original Medium post here.