Recently, Facebook issued a bounty of $5000 lastweek to bug hunter Tommy DeVass, a software developer from Virginia, for discovering a vulnerability which allowed an attacker to view the registered email address of any user.
DeVoss said that he was able to harvest the email addresses of the user accounts without letting the victim know about it, irrespective of the victim keeping their email addresses private. Post multiple communication mails, Facebook confirmed the discovery to be a vulnerability and claimed to award $5000.
The bug was discovered in the user-generated Facebook Groups module which allows a user to create an affinity group on Facebook. DeVoss discovered that an administrator of a Facebook Group could invite any Facebook member via Facebook’s system to have Admin Roles to perform functions such as edit post, add new members, etc.
The invitations created by the admin were sent to the invited recipient's Facebook Inbox messages and their email address associated with their account. Even if the Facebook user is his friend or not, DeVoss was able to get his registered email address.
When admin cancels the pending invitations to those recipients invited to be Facebook Group Administrators, the user is forwarded to a Page Roles tab that includes a Cancel Invitation button. Then, on switching to Facebook’s mobile view of the Page Roles tab, the admin was able to view the full email addresses (in plaintext in the URL) of anyone he wanted to cancel from becoming a Facebook Group Administrator.
This contradicts the Facebook’s privacy policy and Harvesting email addresses like this could lead to targeted phishing attempts or other malicious purposes.Facebook has paid more than $5 million to 900 researchers in the 5 years and $611,741 to 149 researchers in the first half of 2016 itself.
No comments:
Post a Comment