Facebook Bug Bounty- Hijack Facebook user due to broken link on Facebook shop feature on IOS Facebook APP

Hello Readers,

I am Sndp Giri, a Cyber Security student at the University Of Tasmania. I am excited to share my first valid bug finding on Facebook. In this short write-up, I will share with you how I approached this bug, what were the mistakes that I made, and what I learned overall.

The first question that arises to my mind was the Facebook username endpoint, www.facebook.com/username. I started thinking what if I could change the username to something that might be the actual URL path to some existing services or feature Facebook is using. For example www.business.facebook.com/overview. Changing the username of a Facebook account to www.facebook.com/overview. I manually tried a few URL pathnames that I came across when I was browsing the Facebook features. Then, when trying username ‘overview’ facebook accepted the username. My Facebook profile address looks like this: www.facebook.com/overview. Now, the idea was to find any services that were mistakenly pointing to facebook.com/overview instead of the correct path, www.business.facebook.com/overview. I blindly created a Facebook post with the URL www.business.facebook.com/overview. Then I saw something weird happened. When I hovered about the link, Facebook was displaying my profile. Then I realized Facebook due to some reason trims the subdomain part and treats the URL www.business.facebook.com/overview as www.facebook.com/overview. Image below.

Fig1: Hovering to the URL business.facebook.com/overview displays the profile.

I started thinking could this be a bug! I hopped into some marketing groups and searched for the post that contains the URL: business.facebook.com/overview. I could see all their post has changed and started showing my profile when hovering. When I used the URL business.facebook.com/overview in chat, people would be redirected to my profile instead of the correct path. Ok! I thought let's report it. Unfortunately, facebook replied.

Facebook Reply to my first report

Ok! I wasn’t done yet! I started thinking could there be some features in Facebook that I could take over the pathname as my Facebook username and instead of me trying to post the URL in Facebook as that would be considered a social engineering attack. Facebook itself is using that link so, people would be visiting my profile when clicking Facebook feature like button or hyperlink.

I found a username graphql that Facebook allowed me to register so, I changed my username to graphql.

I didn’t do anything that day, the next day I got a message request from one Facebook user. She was angry and asking me to not hack her Facebook page. I was like what!!!!!!!! I didn’t understand what she was saying, I asked for an explanation. She told when she clicks the shop button on her Facebook page she is redirected to my profile. That moment, I was full of joy!

I was 90% sure that the request was made to www.facebook.com/graphql which was my Facebook profile instead of some API endpoint like graph.facebook.com/graphql/….. but since I didn’t know how to intercept a request from the iPhone Facebook app. I wasn’t 100% sure. Doing some research I found that it only works on the Facebook page that has an unverified shop and mobile Facebook app. All the verified shop was pointing to correct shop endpoints for the respective shop owner whereas the nonverified shop was pointing to http://facebook.com/graphql which was my profile.

Fig3: All user who clicks the shop button from nonverified Facebook page are redirected to my profile

I quickly reported the issue to Facebook providing the explanation that I could hijack all user who clicks shop button in Facebook page as they are redirected to my profile.

Sadly, Facebook replied:

The reason was I wasn’t quite specific about the reproduction step even I had demonstrated using a video. The thing I missed was to mention the device used. I selected Facebook web from the category that they prompt you at the beginning when submitting the report. (Mistake happens when your heart is racing and all you think is you need to report as soon as possible)

This conversation went for a week, I reply them with a video again but still don’t realize that I haven’t been specific to what device I used. One day the bug wasn’t reproducible I lost hope thinking some Facebook page owner reported this issue and got fixed. The next day, I could reproduce it again. Later, I realized I needed to mention the device used. Sent an apology message and told them to reproduce again but this time using iPhone. The next day the bug got triaged.

Thanks to Bishal Shrestha for helping me with reproducing the bug on his side and motivating me through the process.

After the issue was triaged, I started investigating what actually was happening. I tried to set up a burp suite watching few tutorials on intercepting the Facebook app traffic but still failed. So, I wasn’t 100% sure what request was the app making when the user clicked the shop hyperlink in the page post so that they are landing to my profile. With the fact that I explained above facebook must have treated the URL to some API endpoint with pathname …./graphql to facebook.com/graphql.

One day I tried reproducing it from Facebook lite, making the same request the lite version of Facebook redirected me to the browser, I copied the URL.

The URL was: https://www.graph.facebook.com/graphql.

So, my theory came to be 100% true that, Facebook was treating this link as facebook.com/graphql as per my first demonstration.

A few days after, Facebook thanked me with a $500 bounty.

Thanks for reading!

Happy Learning :)