Wednesday, 2 March 2016

Hacking Facebook Polls: Access Control Vulnerability

Hacking Facebook Polls - Poll Access Control Vulnerability: Dead Pool Version




Hello All,

Its been very long time that i am not in bug bounty things due to some reasons.Today we will see how i was able to do Hacking Facebook Polls.While surfing facebook groups, There is an module called "Polls" who got my attention. Using this module "Polls" admin/group members can create polls to get group members re-actions.

Basically the vulnerability is about "Access Control"  in facebook polls, There are two controls which facebook offers and one of them is "Allow anyone to add options". If poll creator has disabled this option then users cant add more options to the poll, Even admin cant & if it is not disabled then any group member can add more options to the poll.





Analysis Part



I created two polls......
First polls have  enabled the "Allow anyone to add options",As you can see below there is an another blank text box with value of "Add an option" . In this blank text box user can enter another options value.




Second poll have disabled the "Allow anyone to add options". As you can see that there is no  extra blank text box, which mean user cant add another options to this poll.




Now group members can add more  options to first poll & they cant add more options to second poll. :), But user can submit their votes.

Now the voting request and adding new poll request both are the access control for the poll logic.Here is the chance that user who can perform vote request can also able to perform adding new poll request even if "Allow anyone to add options" is disabled.

Now as every ones know, When we talk about the escalation/access-control/authorization then we always look for differences in request for different roles,authorization & controls.


Here is the request comparison of poll voting and adding new poll optoion request

Left- Voting Request, Right - Adding New Option Request

(Click To Enlarge Image)






By looking at both request we can say that there is only 2 main difference, First  is the URI Location.

Voting URI - /ajax/questions/eigenpolls/vote.php

Add New Option URI - /ajax/questions/add_option.php





Second difference, there are some additional parameters in add new option request like
"option_id=&option_text=New%20Option%20Value"



Hacking Facebook Polls[/caption]
********************

Application failed to check the access-control/authorization for Add new option URI request, Which allow an attacker to add more options to any poll which have disabled the "Allow anyone to add options"

After this observation, It took 5 minutes for me to replaced the value accordingly to the add new poll request.

I replaced the voting poll request with adding new poll request, and added some additional parameters as per the add new poll request required and BOOM ! New Option Added To Poll...

POC Video


Timeline:

Reported to facebook - 12 Feb 2016

Facebook confirm the issue : 17 Feb 2016

Facebook intimate the fix : 27 Feb 2016

Issue found open : 27 Feb 2016

Facebook confirm the fix : March 4 2016

Issue closed confirmation : March 5 2016

Bounty rewarded $500 : March 12 2016 (Not happy with the assigned amount,lower then expected :-( )



No comments:

Post a Comment