Aryan's InfoSec Blog

NOTE : THIS IS BEING PUBLISHED WITH THE PERMISSION OF FACEBOOK UNDER THE RESPONSIBLE DISCLOSURE POLICY. THE BUG IS FIXED NOW. Sessions Were Not Properly Terminated Under Security And Login : ABOUT THE FEATURE :  You can manage where you’re logged into Facebook in Security and Login Settings. The Where You’re Logged In section lists where you’re currently logged in. Each entry includes a date, time, location and device type. To log out of Facebook on another computer, phone or tablet: Go to your Security and Login SettingsClick Where You're Logged InFind the session you want to end and click End Activity Clicking End Activity will immediately log you out of Facebook on that device.
ABOUT THE BUG : If the Messenger Lite Android Application is already running while logging out for it's session via Security and Login Settings then application is required to restart, then only session will be expired or else still messages can be sent and receive.

PROOF OF CONCEPT : TIMELINE : 12…

NOTE : THIS IS BEING PUBLISHED WITH THE PERMISSION OF FACEBOOK UNDER THE RESPONSIBLE DISCLOSURE POLICY. THE BUG IS FIXED NOW.

USER DATA WAS NOT DELETED AS EXPECTED :

ABOUT THE FEATURE : Let's say somehow a malicious actor got an access to your account using phising or social engineering and posted, reacted, commented and performed so on activities on behalf of you.
Facebook provides checkpoint feature "Let's Secure Your Account" in which user is asked to go through few checkpoints in order to secure his/her account. User can access to this feature at www.facebook.com/hacked (if already logged in).


ABOUT THE BUG : While going through the checkpoints, one checkpoint comes to check any recent activity to delete which user don't want on Facebook. So even after confirming particular activities to get deleted by user it was still present on Facebook (obviously user was unaware of it that activity is not deleted).

PROOF OF CONCEPT :

TIMELINE : 10 June 2017 : Ini…

ABOUT ARYAN :



Aryan is currently 20 Yrs old undergraduate student pursuing his Bachelor's of Technology (B.Tech) in Computer Science and Engineering from Dr. A.P.J. Abdul Kalam Technical University Lucknow Uttar Pradesh India. He is a passionate learner and a Web Application Penetration Testing enthusiast. Beside this he is so foodie and fond of singing and inculcating new interests. He believes in building his own dreams rather than hired by someone else to build theirs'. 

CONTACT :

Gmail

Facebook

Twitter

LinkedIn


HALL OF FAMES :

Aryan has acknowledged by these major tech giants and companies for exposing and helping them to fix important security loopholes in their web application :


Facebook, Inc. | Thanks page

Facebook, Inc. is an American online social media and social networking service company based in Menlo Park, California.


Apple, Inc. | Hall of Fame Page

Apple Inc. is an American multinational technology company headquartered in Cupertino, California, that designs, develops…