Business Logic Flaw in Facebook – Bug Bounty POC
Hello Bug Bounty POC viewers this is Behroz and Today, I am discussing about a security bug report I reported to Facebook few months ago. The bug report refers to a business logic flaw in Facebook,found in the verification process of a Facebook page. Normally a Facebook page requires huge amount of likes first in order to request for verification of Facebook page(s), however, by exploiting following business logic flaw in Facebook can result a successful verified page despite having low number of likes or even zero likes on that Page.
I created a demo Facebook page using facebook.com/pages/create/. I Clicked on ‘Local Business or Place’ and Choose ‘Pet Services’ as Page category (the bug was only valid for Pet Services category). After choosing this category I entered remaining page details such as ‘Pets’ as page name, ‘USA based Address’ in Street address field and my actual number in Phone field. At this moment I had a Facebook page under the ‘Pet Services’ category having 0 likes.
Checking Page settings option was no use as ‘Page Verification’ option is generally not displayed until a page has 100,000 or more likes. The alternate way was using vulnerable domain; for this bug it was mobile.facebook.com which gave me a way to bypass Facebook page verification requirements like having huge number of likes before verifying a page.
Following link: https://mobile.facebook.com/pages/page_verification/entry/?page_id=[Your Page id]
was used for that purpose . I entered my Facebook page ID in the value of “page_id “parameter (just replace [Your Page id] with Facebook page’s id) later Facebook asked me to verify my mobile phone number. After completion of that step I successfully verified my Facebook page which had 0 likes on it. I got a silver tick besides my Page name which was the indication that this page is verified by Facebook. A silver tick is generally used by Facebook to ensure that a page in the Category of ‘Local Business’ or related is verified by Facebook.
As the page was verified now the ranking for Facebook search was automatically higher and my page was given higher priority as compared to other pages without silver tick hence there were more chances of people visiting my page.
It’s was a critical issue as a page without any likes was verified without any confirmation or checks on it. This bug could have been a fatal as in general people would never doubt page’s authenticity if verified by Facebook, They would 100% trust that the page is legitimate. If anyone with malicious intent had exploited this bug they could have used it for fraud or other unacceptable activities which might have result in financial or other loss of people/customer who fall in trap of that silver tick.
I reported the bug to Facebook and they took my bug seriously. They appreciated my bug and rewarded me for my findings. Thanks to Facebook for appreciating me for my work, Remember Security is a critical part and should never be ignored at any cost, Thanks.
Business Logic Flaw in Facebook – Reply of Facebook :
Business Logic Flaw in Facebook Video POC :