This post is about an bug that i found on Facebook which could have been used to confirm any new Email/Mobile Number. The Source idea for this bug i got from josipfranjkovic race condition blog post.
When i was testing in account registration and confirmation flow. i tried to brute force the 5digit OTP code. but after several attempts server blocked me.so i tried to test with different scenario like in the above blog.
i started to change randomly my email and the testing email address. and also tried with different browser when i checked my email noticed that Getting back to Facebook mail but the 5digit code is same as in my testing email address. but i don’t know how it happened.
so once again i tried all the steps i done and finally found the reproduction method. then tested the bug with both of the Email and Mobile Number it worked perfect.
- Create a new account with “attacker email” that you can access (ex:email@example.com)
2. Go to setting and change the email to “victim email” that you can not access (ex: firstname.lastname@example.org)
3. Open another browser and try to login as “attacker email” with incorrect password.
4. Now check the attacker email “Getting back to Facebook” email will be received.
5. The 5 digit code in the link was “victim’s email” confirmation code
6. Just enter the code and the “victims email” was confirmed.
3-August-2016 : Report Sent
10-August-2016 : Facebook response that not able to reproduce the issue
10-August-2016 : Additional details provided by me
10-August-2016 : Further investigation & Fixed by Facebook
18-August-2016 : $5000 bounty awarded by Facebook