Contact Point Deanonymization Vulnerability in Meta
This post is about an bug that I found on Meta (aka Facebook) which used to find a linked Primary email address of a account using mobile number
When Meta announced Contact Point Deanonymization pay-out guidelines I started to search bugs on it. when testing in password reset flow I passed the input as mobile number of victim and in response has plain mobile number with masked email address of that account.
So I started to dig deeper is there any way to unmask that email address of victim. and when recon I found a workplace page in work.facebook.com but Meta migrated all work accounts to www.workplace.com . so I looked deeper on that subdomain.
www.facebook.com password can be reset using (Email address or Mobile number). but in work.facebook.com required only (Email or username) so there is no mobile number password reset option is supported for work accounts
So I tried to pass valid Meta accounts mobile number in work domain but it doesn’t accepted. but in request header I noticed that it using same Meta(Facebook) account cookies. so I just passed the Mobile number in main domain password reset flow and came back to work domain OTP Entering Endpoint to check weather it support mobile number password reset. but unexpectedly it shown only the email address to reset the account.(Boom but the email address was in unmasked state)
Reproduction Steps:
1. Go to https://www.facebook.com/login/identify/ and search any valid mobile number which has email linked to that account.
2. Open new tab and go to https://work.facebook.com/recover/code . the linked email address of the account was disclosed.
Impact:
- Attacker can easily OSINT the victim email address like mobile number to email address
- The password reset endpoint doesn’t require any active sessions so attacker can easily automate this work flow and scrap the data’s in Bulk by just rotating the random mobile numbers using IP rotation
Fix:
- Only masked Email address is returned in password reset page on all Facebook and Workplace domains
- Only work account OTP are validated on work.facebook.com
Timeline:
03-jan-2022: Bug found & Reported
04-Jan-2022: Further investigation by Meta
25-Jan-2022: Fixed confirmed by Meta and me
21-Feb-2022: $12,000 bounty awarded by Facebook (With Bonus)