Story of a weird vulnerability I found on Facebook

I have always been interested in the challenge of testing the security of a company like Facebook. With over 2.7 billion monthly active users, it is the biggest social network in the world.

That being said, here’s a quick write up on a distinct vulnerability I found and reported recently to Facebook.

The Discovery Process

While doing some subdomains enumeration, I found an intriguing subdomain which instantly raised my interest : https://legal.tapprd.thefacebook.com/

The reason being that servers used for “legal needs” usually contain critical data.

Further exploration led me to a Google indexed endpoint: https://legal.tapprd.thefacebook.com/tapprd/auth/identity/logout, which marked the beginning of an in-depth investigation.

While doing some directories enumeration, a strange server behavior caught my attention. I noticed that when I tried to request some specific directories, the server’s response was delayed by a few seconds before returning the error : “403 Forbidden : Access is Denied.”

The « think outside the box » move

I decided to send 200 http requests (without any payload) targeting http:// legal.tapprd.thefacebook.com/tapprd/ to stress the server up a little and watch its reaction.

Without expectation, I sent requests with Blurp Intruder using the following options :

Number of threats: 6

Numbers of retries on network failure: 4

Pause before retry (milliseconds): 3000

and… i left my computer for a cold beer. 🍺

Little did I know that 30 minutes later i’d be impressed by the results!

By sending multiple simultaneous HTTP requests to /tapprd/, some requests managed to bypass the 403 permission denied error and revealed a complete directory listing.

After digging further and doing some additional tests, I came with the following conclusion: sending simultaneous HTTP requests to a specific directory could lead the server to inadvertently disclose its contents.

I sent HTTP requests using Blurp and simultaneously opened http://legal.tapprd.thefacebook.com/tapprd/ through Firefox. The 403 error disappeared and I got the following open directory listing:

I started navigating through the folders and I found an upload directory with some unusual XLSX files:

A closer examination of few samples revealed that they contained sensitive business and personal information uploaded by Facebook’s legal team. I halted my investigation, created a proof-of-concept video, and submitted a detailed vulnerability report to Facebook.

Timeline:

July 27, 2020 at 3:43 PM : Reported the vulnerability, which was triaged by the Facebook Security Team within an hour.
July 31, 2020: The vulnerability was fixed by the Facebook’s product team and I confirmed the patch.
August 12, 2020: Facebook raised a conflict with the Responsible Disclosure Policy — I sent more clarifications and details.
August 27, 2020: Got a reply « We have received your comments and will get back to you on this matter once we have finished discussing the case. »
September 21, 2020: Facebook finalized its review: « Upon further review of your report, we’ve decided to issue you a bounty award. We appreciate your patience as we worked through the triage process. »
September 28, 2020: Bounty awarded 💰

Amine Aboud

Twitter: https://twitter.com/amineaboud