Spoof as another Facebook user to report an impostor account

When I was helping someone take down a poser/impostor account. I tried to check the request body on what’s going on behind the scene. The endpoint required user to enter a contact email address and the link of the profile the user wanted to report.

This is where I noticed something strange. When I try to supply a contact email address owned by another Facebook User, the user will get notified that he/she reported someone without his knowledge.

An FB Auto Response received by Unaware Victim

The “your_email” param does not check if the user issuing the request has active session or the email used is already owned by other Facebook user. Ideally the response should be something like “Please login to continue” or “The email address provided is already in used”, since the fb auto response is directly sent to the support inbox of the user who owns the email. This can be abuse in a large scale, an attacker can simply create a wordlist that contains email address and start the attack.

Follow me on twitter : https://twitter.com/devsyd11