Session Expiration Bypass in Facebook Creator App
Hello everybody,
Welcome back to my medium after many days. Sorry for not publishing anything for a long time, these days I was busy with some personal work. Today am going to share one cool bug that I found in the facebook creator app which I had already shown in the Pentester Nepal Monthly meetup program.
So, first of all, let me elaborate some more about the facebook creator app.
“Facebook Creator Studio lets creators and publishers manage posts, insights and messages from all of your Facebook Pages in one place.”
So, talking more about the security issue that I found in the facebook creator app, I was able to publish a post or delete a post or do all the malicious activities that we can do from creator app even after the session has expired.
How I was able to bypass the session expiration?
When we log out all the logged-in devices from Security and Login then it shows session expired on facebook creator app but the session was not actually expired in the app. This is how the session expired message was shown.
but how I was able to post, delete or send a message after this too.
For exploiting this vulnerability, I used two devices i.e my phone and my laptop.
- I logged into both the devices
- I logged out all the active sessions of the Facebook creator app from my laptop.
- Session Expired message was shown on my phone.
- I then turned my phone mobile data or wifi off.
- I closed all the running app and reopened the Facebook Creator app.
- I tried to create a post without turning on wifi or mobile data.
- While clicking Publish post I turned on my wifi and Post was successfully created.
- After Post was successfully created, Session Expired Message was Shown :)
For deleting posts and for other malicious activities same procedure could have helped me. I was awarded 1500$ for this vulnerability.
Impact
Once I logged into someone's Facebook account then I could have used that account for a lifetime even after the victim log outs all the devices or change his password.
Now App has been removed from Facebook.
Timeline
Reported: Aug 1, 2018
Triaged: Aug 30, 2018
Patched: Feb 28, 2019
Bounty Awarded: Apr 10, 2019
Video POC:
