Disable Any Unconfirmed Account in Facebook
This post is about an bug that I found on Facebook which used to Disable any new unconfirmed account in Facebook by using IP Rotation brute force attack. this post is bypass of this write-up → pagefault.me
In Facebook if a user Sign-up a new account. 5 digit Verification code will be send to that corresponding email. but for security reasons victim has a option to disable that Verification code.because attacker can also try to create a new account on behalf victims email.
Vulnerable Endpoint:
https://m.facebook.com/confirmemail.php?e=victim@mail.com@&c=15579&report=1&message=1
But the Rate limit was implemented in this Endpoint. after some certain attempts of brute forcing the 5 digit verification code i got Temporary blocked
In previous write-up pagefault.me the fix was made in 2014. so i guessed the fix would be in IP Based Blocking. so i change my IP address and made the request again . as expected no blocking occurred in new IP address.
But to make the attack easier i need to rotate my IP address for each request in brute force attack. so i search in google for a solution and came to know about IP Rotation Services to bypass IP Blocking. I have made separate write-up on How to Rotate IP ADDRESS in Brute Force Attack
After configuring IP rotation Services. i can able to brute force the 5 digit Verification code without getting blocked.
Video POC:
Impacts:
- If the victims email got disabled he cannot create new Facebook account in future. because the email will get blacklisted on Facebook account creation.
- If attacker know the unconfirmed email. he can brute force the code and disable that account without owners interaction.
Timeline:
30-June-2019 : Report Sent
03-July-2019 : Further investigation by Facebook
23-Aug-2019: Fixed confirmed by Facebook and me
23-Aug-2019 : $1000 bounty awarded by Facebook