Intro To facebook Bug Bounty
fb.com/rajsek
Web developer from BNYMellonTech
Title Text
/**
* @author Raja Sekar Durairaj
* @company BNY Mellon Technology Pvt Ltd
* @socialMedia fb.me/rajsek
* @topic-title Intro to FB Bug Bounty
*/
const meetup = new NullChennai();
const speaker = meetup.getSpeaker('Rajsek');
speaker.aboutSpeaker();
Hi... i am "Raja Sekar Durairaj"
Full stack developer "@BNY Mellon Tech Pvt Ltd".
Makes Facebook a safer place
Read lot of things & write few thigns in medium
blog "https://medium.com/@rajsek"
speaker.getTitle();
"Intro to FB Bug Bounty 💰 💸"
Index
- Facebook WhiteHat Program
- Things i have reproted
- Facebook Graph API
- Some Common Reports
- New Whitehat Settings (Solves Certificate Pinning for testing)
Facebook WhiteHat Program
- Bug bounties are programs that let security researchers submit potential flaws and vulnerabilities in a company's software.
- ​It launched in 2011, is one of the oldest and most mature in the industry.
Â
Place To Report :Â https://www.facebook.com/whitehat
Products In-Scope : Facebook - Web, Facebook - iOS, Facebook - Android, Messenger, Instagram, WhatsApp, Oculus ,Open Source (e.g. HHVM)Third Party Apps
Valnerability Type  : Access Token Disclosure, Account Takeover, Clickjacking, Code Execution, Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), Database Injection, Denial-of-Service (DoS), Memory Corruption, Open Redirect, Privacy / Authorization, Rate Limiting, Server-Side Request Forgery (SSRF), Other
Things I reported
"Thanks to the Community Groups(Null Chennai) and Info security blogs."
Birth Year Disclosed
Birth Year Disclosed
Full DoB
Â
Full DoB
Â
And Few more...
you can read it at http://medium.com/@rajsek
Facebook Graph API
Facebook Graph API
Â
- The Graph API is an interface utilising various calls through http://graph.facebook.com.
- The calls that we will use are either publicly accessible or need some form of authorisation via an access token.
- The access token is your key to city, but each city has different keys.
- So get it right and be sure you know where you at.
- Start by using a user access token . This can be used to make requests to the - Facebook API on behalf of the user. Most of the time, this is all you need
Â
Â
Â
Text are extracted from this link
What it does:
Look for other Domains
(m.facebook.com, free.facebook.com, bete.faceook.com, mbasic.com, intern.facebook.com and etc)
Rate Limit Reports
Rate Limit
-
Some Time before Anand Prakesh looked out for the rate limiting was missing on forgot password endpoints on beta.facebook.com and mbasic.beta.facebook.com (link)
-
Arun Suresh Kumar, 21, of Kollam Found similar bug in other domain. (link)
IP Rotation
Â
Similar instgram account take over using IP rotate attak on password rest (link)
Â
Â
Â
What it does:
FB Business Manager Portal
FB Developer Portal
Internal API(mobile,Web)
graph.facebook.com/graphql
Internal API(mobile API's)
- Certificate Pinning normally protects traffic that originates from Facebook mobile apps against sniffing operations.
- But according to Facebook, when security researchers turn on the "Whitehat Settings" option, Facebook will intentionally break its Certificate Pinning mechanism for that account,
- so the researcher can intercept, sniff, and analyze the traffic that originates from within.The calls that we will use are either publicly accessible or need some form of authorisation via an access token. (link)
- https://www.facebook.com/whitehat/researcher-settings
Â
Â
Internal API(mobile API's)
New Whitehat Settings
Intro To facebook Bug Bounty
By raji sekar
Intro To facebook Bug Bounty
- 1,337