Disable Any Unconfirmed Account in Facebook

This post is about an bug that i found on Facebook which used to Disable any new unconfirmed account in Facebook by using IP Rotation brute force attack. this post is bypass of this write-up → pagefault.me

Image for post
Image for post

In Facebook if a user Sign-up a new account. 5 digit Verification code will be send to that corresponding email. but for security reasons victim has a option to disable that Verification code.because attacker can also try to create a new account on behalf victims email.

Vulnerable Endpoint:

https://m.facebook.com/confirmemail.php?e=victim@mail.com@&c=15579&report=1&message=1

But the Rate limit was implemented in this Endpoint. after some certain attempts of brute forcing the 5 digit verification code i got Temporary blocked

In previous write-up pagefault.me the fix was made in 2014. so i guessed the fix would be in IP Based Blocking. so i change my IP address and made the request again . as expected no blocking occurred in new IP address.

But to make the attack easier i need to rotate my IP address for each request in brute force attack. so i search in google for a solution and came to know about IP Rotation Services to bypass IP Blocking. I have made separate write-up on How to Rotate IP ADDRESS in Brute Force Attack

After configuring IP rotation Services. i can able to brute force the 5 digit Verification code without getting blocked.

Image for post
Image for post

Video POC:

Impacts:

  1. If the victims email got disabled he cannot create new Facebook account in future. because the email will get blacklisted on Facebook account creation.
  2. If attacker know the unconfirmed email. he can brute force the code and disable that account without owners interaction.

Timeline:

30-June-2019 : Report Sent

03-July-2019 : Further investigation by Facebook

23-Aug-2019: Fixed confirmed by Facebook and me

23-Aug-2019 : $1000 bounty awarded by Facebook

Image for post
Image for post

Web Security Researcher

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store