Disclosing the Primary Email address for each Facebook user

Introduction

This post is going to be discussing how I was able to get the primary/hidden email address for any Facebook user. This also happens to be my first accepted bug to the Facebook Bug Bounty Program.

Background

Back in September I got an email notification from Facebook stating I had been added as an Admin of a Facebook Page. I hadn't tested this functionality for bugs before and so, decided to mess around with it. I was able to quickly find an endpoint that disclosed the Admin's email addresses, and reported it to Facebook, only to be told that it was desired action due to the type of page it was.

Details

Then on November 25th, a video was shared in a Slack group I'm a member of, describing a vulnerability which disclosed email address of Facebook users (it can be found here.) After watching the video and recognizing part of the HTTP request shown in it, I decided to go back and see if I could disclose user emails in a similar fashion.

I created a new test group and went to the settings -> Page Roles which can be found at https://www.facebook.com/Fsdghfgdfdsfsg-1788709781369023/settings/?tab=admin_roles. This presented me with the following screen:

I then entered the name of my test account and added it as an Editor:

Now as a note, when you add someone to a role on your group, if they are on your Friends list, then they will b* automatically added to the role you assign and Facebook will send them a notification. This is important because when you attempt to assign a person you are not friends with a role to a group, then a request is sent to that person for them to accept or decline the invitation. While Facebook waits for the confirmation, the user is shown under the Page Roles tab, with a button to cancel the request.

After poking around for a bit on the www.facebook.com domain with no success, I decided to switch to the mobile view and see if anything changed. So I navigated to the page: https://m.facebook.com/pages/edit/admins/1788709781369023 and instantly noticed something different.

This mobile page looks much more interesting! I quickly noticed that when you clicked the remove link on the mobile page, you were redirected to a page with the following URL:
https://m.facebook.com/password/reauth/?next=https%3A%2F%2Fm.facebook.com%2Fpages%2Fremove_admins%2Fconfirm%2F%3Fid%3D1788709781369023%26remove_admin_role%3D1%26remove_pending_invite_email%3Dtommy%2540goglobalworx.com&_rdr

Notice the param removependinginvite_email. When attempting to cancel the request from the mobile page, it would disclose the email address of the person I invited but was not friends with.

Impact

The impact of this vulberability could be diverse. Harvesting email addresses this way contradicts Facebook's privacy policy and could lead targeted phishing attempts or other malicious purposes. Also as a note, this could only target users that were not already friends on Facebook and after adding the person then removing the request, the notification will disappear. This means an attacker could exploit this without the knowledge of the victim, unless they happen to get the notification and see it before the request was canceled.

Report Timeline:
  • 11/25/2016 - Vulnerability Found and Reported via Facebook's Submission Page.
  • 11/25/2016 - Initial response from Facebook. Unable to reproduce.
  • 11/25/2016 - Provided more information to Facebook Security.
  • 11/27/2016 - Provided shell script capable of reproducing issue.
  • 11/30/2016 - Facebook confirms ability to reproduce, escalates issue.
  • 12/02/2016 - Facebook implements hotfix to prevent issue from being exploited.
  • 12/14/2016 - Facebook pushes permanent fix.
  • 12/20/2016 - Facebook awards $5,000 bounty.

Twitter: http://twitter.com/thedawgyg
Thanks to @yaworsk for help with editing of this post.