Story of a weird vulnerability I found on Facebook

Hello world!

I have always been interested in the challenge of testing the security of a company like Facebook. With over 2.7 billion monthly active users, it is the biggest social network in the world.

That being said, here’s a quick write up on a distinct vulnerability I found and reported recently to Facebook.

The Story

The reason being that servers used for “legal needs” usually contain important data.

I started googling afterwards and found the following endpoint indexed on the search results https://legal.tapprd.thefacebook.com/tapprd/auth/identity/logout

& so the hunt began. 👨‍💻

While doing some directories enumeration, a strange server behavior caught my attention. I noticed that when I tried to request some specific directories, the server’s response was delayed by a few seconds before returning the error : “403 Forbidden : Access is Denied.

The « think outside the box » move

Without expectation, I sent requests with Blurp Intruder using the following options :

Number of threats: 6

Numbers of retries on network failure: 4

Pause before retry (milliseconds): 3000

and… i left my computer for a cold beer. 🍺

Little did i know that 30 minutes later i’d be impressed by the results!

By sending multiple simultaneous HTTP requests to /tapprd/, some requests managed to bypass the 403 permission denied error and got a full directory listing. 🤩

After digging further and doing some additional tests, I came with the following conclusion: sending simultaneous HTTP requests to a specific directory can lead to the server leaking its content.

I sent HTTP requests via Blurp (again) and at the same time I opened http://legal.tapprd.thefacebook.com/tapprd/ with Firefox. The 403 error disappeared and I got a beautiful open directory listing:

I started navigating through the folders with Firefox and I found an upload directory with some strange XLSX files:

I clicked to check few samples and… BOOM!💥 These documents were uploaded by the legal Facebook team and were containing a lot of internal confidential business and personal informations. I decided to stop my research, prepared a POC video and sent a detailed vulnerability report to Facebook.

Timeline:

5 Advices to remember:

  1. Think outside the box
  2. A beer is always a great idea 🍺
  3. Once you discover a vulnerability, control your emotions and steps. Make sure to always carefully respect the Disclosure Policy of the Bug Bounty Program you are participating to.
  4. Even if it’s hard and frustrating, be patient… This report took 2 months before getting completely resolved.

Cheers!
Amine Aboud

Twitter: https://twitter.com/amineaboud

Entrepreneur & cyber security enthusiast doing bug bounty for fun.