Spoof as another Facebook user to report an impostor account

When I was helping someone take down a poser/impostor account. I tried to check the request body on what’s going on behind the scene. The endpoint required user to enter a contact email address and the link of the profile the user wanted to report.

This is where I noticed something strange. When I try to supply a contact email address owned by another Facebook User, the user will get notified that he/she reported someone without his knowledge.

An FB Auto Response received by Unaware Victim

The “your_email” param does not check if the user issuing the request has active session or the email used is already owned by other Facebook user. Ideally the response should be something like “Please login to continue” or “The email address provided is already in used”, since the fb auto response is directly sent to the support inbox of the user who owns the email. This can be abuse in a large scale, an attacker can simply create a wordlist that contains email address and start the attack.

Follow me on twitter : https://twitter.com/devsyd11

--

--

--

/* Security Researcher && Programmer */

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

{UPDATE} Forza Quattro Hack Free Resources Generator

Cryption Network #IDO was SOLD OUT in minutes

We kill people based on metadata

Step-by-step: How to Use the Lossless Farm on Unicrypt

$CP Launchpad IDO — WeStarter

Multiplier implements 4/7 Multi-Sig for bMXX

HackFS: Team Eureka & Azureus Project Introduction

Principles of Evidence-Based Cybersecurity Management

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Syd Ricafort

Syd Ricafort

/* Security Researcher && Programmer */

More from Medium

A short story of IDOR for your perspective

A Story of DOM XSS

OTP bypass via response manipulation

A tale of zero click account takeover