Confirming any new Email/Mobile Number bug in Facebook (Part-1)

This post is about an bug that i found on Facebook which could have been used to confirm any new Email/Mobile Number. The Source idea for this bug i got from josipfranjkovic race condition blog post.

When i was testing in account registration and confirmation flow. i tried to brute force the 5digit OTP code. but after several attempts server blocked me.so i tried to test with different scenario like in the above blog.

i started to change randomly my email and the testing email address. and also tried with different browser when i checked my email noticed that Getting back to Facebook mail but the 5digit code is same as in my testing email address. but i don’t know how it happened.

so once again i tried all the steps i done and finally found the reproduction method. then tested the bug with both of the Email and Mobile Number it worked perfect.

Steps:

  1. Create a new account with “attacker email” that you can access (ex:alpha@gmail.com)

2. Go to setting and change the email to “victim email” that you can not access (ex: beta@gmail.com)

3. Open another browser and try to login as “attacker email” with incorrect password.

4. Now check the attacker email “Getting back to Facebook” email will be received.

5. The 5 digit code in the link was “victim’s email” confirmation code

6. Just enter the code and the “victims email” was confirmed.

Video POC:

Timeline:

3-August-2016 : Report Sent

10-August-2016 : Facebook response that not able to reproduce the issue

10-August-2016 : Additional details provided by me

10-August-2016 : Further investigation & Fixed by Facebook

18-August-2016 : $5000 bounty awarded by Facebook

Web Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store