Intro To facebook Bug Bounty

fb.com/rajsek

Web developer from BNYMellonTech

Title Text

/**
 * @author Raja Sekar Durairaj
 * @company BNY Mellon Technology Pvt Ltd 
 * @socialMedia fb.me/rajsek
 * @topic-title Intro to FB Bug Bounty
 */
const meetup = new NullChennai();

const speaker = meetup.getSpeaker('Rajsek');

speaker.aboutSpeaker();

    Hi... i am "Raja Sekar Durairaj"
    Full stack developer "@BNY Mellon Tech Pvt Ltd".
    Makes Facebook a safer place
    Read lot of things & write few thigns in medium 
    blog "https://medium.com/@rajsek"

speaker.getTitle();
    "Intro to FB Bug Bounty 💰 💸"

    

Index

  • Facebook WhiteHat Program
  • Things i have reproted
  • Facebook Graph API
  • Some Common Reports
  • New Whitehat Settings (Solves Certificate Pinning for testing)

Facebook WhiteHat Program

- Bug bounties are programs that let security researchers submit potential flaws and vulnerabilities in a company's software.
- ​It launched in 2011, is one of the oldest and most mature in the industry.

 

Place To Report : https://www.facebook.com/whitehat

Products In-Scope : Facebook - Web, Facebook - iOS, Facebook - Android, Messenger,  Instagram, WhatsApp, Oculus ,Open Source (e.g. HHVM)Third Party Apps

Valnerability Type  : Access Token Disclosure, Account Takeover, Clickjacking, Code Execution, Cross-Site Request Forgery (CSRF), Cross-Site Scripting (XSS), Database Injection, Denial-of-Service (DoS), Memory Corruption, Open Redirect, Privacy / Authorization, Rate Limiting, Server-Side Request Forgery (SSRF), Other

Things I reported

"Thanks to the Community Groups(Null Chennai) and Info security blogs."

Birth Year Disclosed

Birth Year Disclosed

Full DoB

 

Full DoB

 

And Few more...

you can read it at http://medium.com/@rajsek

Facebook Graph API

Facebook Graph API

 

  • The Graph API is an interface utilising various calls through http://graph.facebook.com.
  • The calls that we will use are either publicly accessible or need some form of authorisation via an access token.
  • The access token is your key to city, but each city has different keys.
  • So get it right and be sure you know where you at.
  • Start by using a user access token . This can be used to make requests to the - Facebook API on behalf of the user. Most of the time, this is all you need

 

 

 

Text are extracted from this link

What it does:

Look for other Domains

(m.facebook.com, free.facebook.com, bete.faceook.com, mbasic.com, intern.facebook.com and etc)

Rate Limit Reports

Rate Limit

  • Some Time before Anand Prakesh looked out for the rate limiting was missing on forgot password endpoints on beta.facebook.com and mbasic.beta.facebook.com (link)

  • Arun Suresh Kumar, 21, of Kollam Found similar bug in other domain. (link)

IP Rotation

 

Similar instgram account take over using IP rotate attak on password rest (link)

 

 

 

What it does:

FB Business Manager Portal

business.facebook.com

FB Developer Portal

business.facebook.com

Internal API(mobile,Web)

graph.facebook.com/graphql

Internal API(mobile API's)

  • Certificate Pinning normally protects traffic that originates from Facebook mobile apps against sniffing operations.
  • But according to Facebook, when security researchers turn on the "Whitehat Settings" option, Facebook will intentionally break its Certificate Pinning mechanism for that account,
  • so the researcher can intercept, sniff, and analyze the traffic that originates from within.The calls that we will use are either publicly accessible or need some form of authorisation via an access token. (link)
  • https://www.facebook.com/whitehat/researcher-settings

 

 

Internal API(mobile API's)

New Whitehat Settings
Made with Slides.com