Wednesday 2 March 2016

Hacking Facebook Polls: Access Control Vulnerability

Hacking Facebook Polls - Poll Access Control Vulnerability: Dead Pool Version

Hello All,

Its been very long time that i am not in bug bounty things due to some reasons.Today we will see how i was able to do Hacking Facebook Polls.While surfing facebook groups, There is an module called "Polls" who got my attention. Using this module "Polls" admin/group members can create polls to get group members re-actions.

Basically the vulnerability is about "Access Control"  in facebook polls, There are two controls which facebook offers and one of them is "Allow anyone to add options". If poll creator has disabled this option then users cant add more options to the poll, Even admin cant & if it is not disabled then any group member can add more options to the poll.

Analysis Part