Facebook User Enumeration
Hello all readers today i am going to show you that how i got user enumeration vulnerability in facebook "Facebook User Enumeration" Vulnerability
Bug Status - Reported On 3-5-2013
They said that rate limit is working according to their settings , but they reward me for co-coordinating with them about this report
Reward - $1000
Before next if you dont know about User Enumeration Vulnerability then see below
User Enumeration is a Technique or Vulnerability which can allow an attacker to enumerate all email , user name or sensitive information about any user which is already exist in that target vulnerable web application
So lets move the our testing part
if i said about me then i didnt tried for XSS , CSRF or any other common bug .i always try to find some logical ot unique bug
so while searching this type of bugs in iphone.facebook.com this is special version for iphone users where they can browse fb on their iphone
Now here is the interesting part came
You all are know that every web application have his forgot your password and registration form
where user can reset their password and create a new account.
Lets think that what an attacker can do with this two forms..hmmmmmmmmmmmmmmmmmmm :-)
Yaa he can check that which email address are already exist in that web application by performing the Mass Brute Force Attack.
So i tried to perform this attack on iphone.facebook.com and m.facebook.com forgot your password but all know that facebook have his internal brute force detection mechanism so no once can easily perform this type of attack
as result of this attack i got that after 10 attempts facebook blocking my request so i was unable to perform this attack here.I tried to bypass it but didnt got anything there
Then finally i got a flaw its like improper request handling on iphone.facebook.com login panel for users but its likes but This behavior is intentional: it improves the usability of the site by allowing users to more easily distinguish when they've typed their email address incorrectly
Like in normal web application if you enter only email without giving password then web application will give you an error that " Please Enter Email & Password Or You Entered An Invalid Email Or Password "
but in iphone.facebook.com If i enter only email in login panel without giving password then i got an error that " We didnt recognize your email address"
This behavior is intentional: it improves the usability of the site by allowing users to more easily distinguish when they've typed their email address incorrectly
but we can enumerate the of all email address of existing email id
200 For Non Existing & 302 For Existing Email
( 5000 Attempts )
here i had performed 5000 attempts
You Can See The POC Video
After communicating with facebook team they said that they already have attempts limit on their web application but still they took my report valid for showing co-coordinating and manner way about this report
Comments Are Always Welcome