Facebook is known to test their new features in limited
areas before pushing the thing to the production all over the world. Usually
the newest things appear first in US. I was browsing through the latest features, and “Scrapbook”
caught my eye.
Scrapbook is a collection of photos of your child. You can
tag your child in photos and the photos will be added to your child’s scrapbook
album. You can also give your partner access to the album for editing a
scrapbook and tagging photos.
 |
| Picture 1. Adding scrapbook. |
To make sure the partner function isn’t misused, you need to be in a relationship with the person you would like to add as your partner. This is stated in the instructions.
After adding your partner to your scrapbook, the family member information of the scrapbook is forwarded to the partner’s profile. It’s interesting that you can decide audience of the family member on the partner’s profile as the audience is inherited from the settings of the scrapbook’s owner. So if the audience is set as public, it’s seen public everywhere. Audience of photos is a different thing.
You can of course edit your added scrapbooks later. Like adding access to your partner, if not added in the initial phase. The POST request of saving function looks like this:
 |
| Picture 2. Adding a partner to scrapbook. |
Parameter “id” is the child’s userid and parameter “contributors[0]” is your partner’s userid. Of course CSRF token etc are included in the request, but I stripped them off.
I realized that the relationship status between you and your partner isn’t checked and you could add anyone as your partner. So the parameter “contributors[0]” isn't confirmed to be your partner. This is a quite bad situation as it gives an attacker possibility to forward false data to a target’s profile – add any family member and therefore photos to a scrapbook album by tagging. A notification is sent to a partner of this addition, so it isn’t very stealth, but still a bad one.
I didn’t like the notification the target (partner) received of the addition. I went through all the functions again, but I couldn’t create a situation where the notification isn’t sent.
A little bit later I got an idea – the country restriction. How about if I add a person as a partner who’s browsing Facebook outside of US? I mean the person is using non-US ip address.
After adding non-US person as a partner, the target didn’t receive any notification. At first I thought the whole addition wasn’t possible, because there was no sign of it. No scrapbooks, nothing! I switched to use US ip address and notifications with a scrapbook appeared. Back to non-US ip address and nothing. So the country restriction seems to be very strict.
Therefore everyone using US ip addresses was able to see the family member addition, scrapbook album and tagged photos in it, but the non-US target none of these. Someone said blackmailing?
Therefore everyone using US ip addresses was able to see the family member addition, scrapbook album and tagged photos in it, but the non-US target none of these. Someone said blackmailing?
A quick graphical presentation:
 |
| Picture 3. An example scenario. |
Timeline:
13.5.2015, 4.46 pm - Reported to FB
14.5.2015, 3:29 am - Triaged by FB
14.5.2015, 5:46 am - Added more information to the case
19.5.2015, 7:57 am - Patched by FB
