I Hacked into Facebook’s Legal Department Admin Panel

We’ve been in this pandemic since  March and once the pandemic started I used to be having hundreds of free time, And I need to exhaust that point wisely, So I’ve made up our minds to purchase the OSWE certification and I accomplished the examination on 8 of August, after that, I took a pair of weeks to recuperate from the OSWE examination, then in the med of September, I stated you understand what? I did no longer register my title in the Fb hall of reputation for 2020 as I enact once a year. okay, let’s enact it.

I below no conditions chanced on a vulnerability on one of Fb subdomains, and I took a eye at some writeups and I saw one writeup in a single of Fb subdomains which It got all my consideration It used to be a marvelous write up you might maybe maybe presumably presumably presumably test it out [HTML to PDF converter bug leads to RCE in Facebook server.]

So after reading this writeup now I took an correct belief about how many vulnerabilities I’d receive in this kind of immense web app.

So my main target used to be https://ethical.tapprd.thefacebook.com and my unbiased used to be RCE or something the same.

I ran some fuzzing tools honest correct to rating the elephantine endpoints of this web app and I took a 2 hours nap and watched a movie, Then I got abet to scrutinize the outcomes okay I got some correct results.

Dirs chanced on with a 403 response:

Dirs chanced on with a 403 response:

/tapprd/products and services/
/tapprd/Companies and products/

Ok, I deem this outcome is highly ample to boost my old theory about how immense this utility, Then I started to be taught the javascript files to scrutinize how the site works and what methods it uses ..etc

I spotted a fashion to avoid the redirection into the Login SSO, https://ethical.tapprd.thefacebook.com/tapprd/portal/authentication/login and after examining the login page, I spotted this endpoint


and after doing some fuzzing on the individual endpoint I’ve observed one more endpoint which its /savepassword  and it used to be making an try ahead to a POST seek data from, Then after reading the javascript files I knew how the page work, there ought to unexcited be a generated token and xsrf token.. etc The postulate that first got here to me okay, Lets test it and gaze whether it is going to work I tried to commerce manually the usage of burp suite however I got an error, the error used to be execution this operation failed.

I stated okay, this might maybe maybe presumably presumably very neatly be since the electronic mail is inferior or something? let’s rating an admin electronic mail, Then I started to set apart random emails in a checklist to rating a wordlist and after that, I used the intruder and I stated let’s gaze what is going to occur.

I got abet after a pair of hours I chanced on the same error results plus one other outcome, This one used to be 302 redirect to the login page, I stated wow, I’ll be damned if this worked Haha.

So let’s rating abet to scrutinize what I’ve accomplished here, I despatched random requests the usage of intruder with a CSRF token and random emails with a recent password to this endpoint /savepassword

and one of the most outcomes used to be 302 redirect.



Now I went to the login page and I build the login electronic mail and the recent password and BOOM I logged in Successfully into the utility and I’m in a position to enter the admin panel 🙂

I be taught the hacker file who chanced on RCE sooner than the usage of the PDF and they gave him a reward of 1000$ simplest so I stated okay, let’s rating an correct Impact here and a ideal exploit.

I wrote a fast and simple script to make the most of this vulnerability with python you set apart the electronic mail and the recent password and the script will commerce the password.

The Impact here used to be so excessive since the Fb employees used to login with their blueprint of work accounts, Which imply they’re the usage of their Fb accounts access token, and presumably if one more attacker desired to make the most of this it might maybe maybe presumably presumably give him the ability to set apart access to some Fb employees accounts .. etc 

Then I reported the vulnerability and the file triaged.

And on 2 of October, I obtained a bounty of 7500$ 

I loved exploiting this vulnerability so extraordinary, so I stated that’s no longer ample, that is a archaic script! let’s dig more and more.

And I chanced on two more vulnerabilities on the same utility, But we are in a position to discuss relating to the opposite vulnerabilities in the Segment two writeup 🙂


Alaa Abdulridha on FacebookAlaa Abdulridha on GithubAlaa Abdulridha on Instagram

Alaa Abdulridha

My title is Alaa Abdulridha I am a computer engineering student and cybersecurity researcher I am attracted to web utility pentesting and sport construction, also I am attracted to some trojan horse bounty packages, I love moderately a pair of things resembling reverse engineering, reading the others code to be taught and then to search out my comprise exploits and instructing it to you, Stop that you just might maybe like to know more about me ? Click Here.

Read More

Recent Content