I tried to report two issues to Facebook over the years. Neither was major, but they were both issues in my opinion. That said, they didn’t really hurt anyone that I could tell, so when they denied that they were issues I just let it sit. But now I want to document them so that others can learn from their mistakes if they so choose.

The first issues was found back in 2013ish. It was a simple captcha bypass that I discovered on accident. I was spamming my fraternities internal facebook page because I was bored one night, and someone asked how I got past the spam prevention. It turns out that I had inadvertantly bypassed the spam prevention because the way it worked was that once you hit a limit it asked you to fill out a captcha when you submitted a post. Since I was sending a post request without the captcha field, the request was being processed by the non-captcha protected endpoint.

So as you can see, the server would say, “show a captcha” and the client would comply, but the server would not enforce it.

The seccond issues was a bit more complex. It was reported some time in 2015 I would guess. It was a Client Side Search Request that used a flaw in Chrome in order to measure the size of HTTP get responses and use that in order to determine if the search had any results. By narrowing the search down specifically you can determine a user’s friends as a drive by attack.

Imagine a CSRF except instead of coercing the user’s browser to perform an action on a target website, the attacker coerce’s the user’s browser to disclose information from the target website.

There are a few ways to determine the length of a request, my favorite is a bug/feature in chrome that lets you determine the size of a cached request. By abusing this you can tell if there are more or less results in a search result. As such you can go through the alphabet and determine the names in someones friend list on Facebook. Even if they keep their friends list completely private because you are having them do the search. See bellow for an example:

  • https://m.facebook.com/search/people/?q=a&filters_friends=%7B”name”%3A”users_friends”%2C”args”%3A”“%7D&em=1&source=did_you_mean&original_query=testyaa small response
  • https://m.facebook.com/search/people/?q=b&filters_friends=%7B”name”%3A”users_friends”%2C”args”%3A”“%7D&em=1&source=did_you_mean&original_query=testyaa small response
  • https://m.facebook.com/search/people/?q=c&filters_friends=%7B”name”%3A”users_friends”%2C”args”%3A”“%7D&em=1&source=did_you_mean&original_query=testyaa larger response
  • https://m.facebook.com/search/people/?q=ca&filters_friends=%7B”name”%3A”users_friends”%2C”args”%3A”“%7D&em=1&source=did_you_mean&original_query=testyaa small response
  • https://m.facebook.com/search/people/?q=cb&filters_friends=%7B”name”%3A”users_friends”%2C”args”%3A”“%7D&em=1&source=did_you_mean&original_query=testyaa small response
  • https://m.facebook.com/search/people/?q=co&filters_friends=%7B”name”%3A”users_friends”%2C”args”%3A”“%7D&em=1&source=did_you_mean&original_query=testyaa larger response

Keep repeating that until you find that they have a friend with the first name coldwater and then add a %20 and start again and you will find they have a friend with the name coldwater q

I use the mobile site because it has fewer side bars and other things. By doing this the content sizes are more static, and less sampling is required.

I never got the POC working perfectly, and so I don’t think the Facebook rep ever understood this issue, but since it is probably easier to social engineer your way onto someone’s friends list and view it that way I wasn’t to concerned with trying to get it resolved.