Facebook Exploit [ post to facebook users even they are not in friendl list] August-2013
Name : Khalil Shreateh
Job : unemployee :/
Facebook Page: https://www.facebook.com/khalil.shr
Days ago i discovered a serious facebook vulnerability that allows a facebook user to post to all facebook users timeline even they are not in his friend list .
i report that exploit through whitehat --> www.facebook.com/whitehat
this email shows my report including facebook security replay : -
I dont see anything when I click link except an error.
-----Original Message to Facebook-----
Subject: post to facebook users wall .
Description: dear facebook team .
my name is khalil shreateh.
i finished school with B.A degree in Infromation Systems .
i would like to report a bug in your main site (www.facebook.com) which i discovered it .
the bug allow facebook users to share links to other facebook users , i tested it on sarah.goodin wall and i got success post
link - > https://www.facebook.com/10151857333098885
-----End Original Message to Facebook-----
describing to them about the exploit with a link to facebook post that i made to Sarah Goodin's timeline
Sarah Goodin is the girl that was in the same college with Mark Zuckerberg .
this picture shows the post
facebook security replay was that the link gives error opening , if course they didnt use their authority to view sarah's privacy posts as sarah share her timeline posts with her friends only , i was able to view that post cause i'am the one who did post it even i'am not in her friend list . that what i told them in a replay and i also told them i may post to Mark Zuckerberg timelime as this picture shows :
as usual they ignored my replay so i did report another , this email shows their replay to my second report including the report :
Hi Ḱhalil, I am sorry this is not a bug. Thanks, Emrakul Security Facebook -----Original Message to Facebook----- From: firstname.lastname@example.org To: Subject: urgent : post to non friends facebook users wall . Name: Ḱhalil E-Mail: email@example.com Type: privacy Scope: www Description: dear facebook team . my name is khalil shreateh. i finished school with B.A degree in Infromation Systems . i would like to report a bug in your main site (www.facebook.com) which i discovered. i'am reporting this bug for the second time.
repro: the vulnerability allow's facebook users to share posts to non friends facebook users , i made a post to sarah.goodin timeline and i got success post link - > https://www.facebook.com/10151857333098885 of course you may cant see the link because sarah's timeline friends posts shares only with her friends , you need to be a friend of her to see that post or you can use your own authority . this is a picture shows that post : https://fbcdn-sphotos-h-a.akamaihd.net/hphotos-ak-ash4/q71/s720x720/999429_10151857336258885_2061448780_n.jpg -----End Original Message to Facebook-----
i told them that sarah shares her timeline with her friends only as i also sent them a picture shows the post i made to sarah's time line , their replay was " sorry this is not a bug " , so i replay back and i said that i has no choice than to post to Mark Zuckerberg's timeline .
i told him about the
exploit and all the report i sent with a link to the last report including
facebook security replay , minutes after a facebook security engineer
on my picture on facebook asking me to send him all the details about the
you can see the conversation on this link : https://www.facebook.com/10151865722018885
a minute after that i
got my account disabled ,as they said facebook has all the right to disable any
facebook account without any reason given , i made another report asking
facebook security to reactivate my account , this is the email shows my report
including their replay :
Dear Khalil, Facebook disabled your account as a precaution. When we discovered your activity we did not fully know what was happening. Unfortunately your report to our Whitehat system did not have enough technical information for us to take action on it. We cannot respond to reports which do not contain enough detail to allow us to reproduce an issue. When you submit reports in the future, we ask you to please include enough detail to repeat your actions. We are unfortunately not able to pay you for this vulnerability because your actions violated our Terms of Service. We do hope, however, that you continue to work with us to find vulnerabilities in the site. We have now re-enabled your Facebook account. Joshua Security Engineer Facebook -----Original Message to Facebook----- From: firstname.lastname@example.org To: Subject: bypass facebook posts to timeline privacy Name: Khalil Khalil E-Mail: email@example.com Type: privacy Scope: www
Description: ok , this is the third time i report this bug , i know that you guys now know that it’s a bug for sure after facebook.com/ola deactivate my account which is facebook.com/khalil.iz.sh i want my account back soon as possible , as i report the bugs for you and i didnt use another fake accounts or test accounts to break privacy . although my account contains important messages that some of my friends need them back . https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-ash3/1174822_10200988067716575_1496625129_n.jpg repro: this the last post i made before " www.facebook.com/ola " deactivate my account , i had no choice after you guys replay twice back again to me that this is not a bug . https://fbcdn-sphotos-d-a.akamaihd.net/hphotos-ak-prn1/543398_10151865722018885_1202186069_n.jpg -----End Original Message to Facebook-----
i replay back that facebook report page has a " prove concept " and i cant prove without sending pictures or video . that is bullshit
after my second
report i record this
video which shows the exploit
, i was rush recording it cause they was able to close that exploit in any