Easy wins : verbose error worth Facebook HOF

Hi Info sec community

Been long time I am not active in bug bounty and security. Since beginning of my hacking interest, Facebook HOF always special to me. Here is story of how little recon and bit weird testing got me Facebook HOF 2020.

POC

  1. I used waybackurls by tomnomnom to get all the urls of facebook.com domain.
  2. I wanted URL with app_id parameter in url . So using grep i extracted them .

https://www.facebook.com/sharer?u=https%3A%2F%2Fgoogle.com

Above URL is Facebook common sharing endpoint for sharing anything like facebook profile , video and external urls.

Later one URL caught my attention from extracted url txt file.

https://www.facebook.com/dialog/feed?app_id={appi_id}&link={sharing url}&redirect_uri={sharing url}

Surprisingly above endpoint also share links. I decided to poke this URL .

3. Later, I decided to test feeling/activity feature. I selected watching option in activity and typed random thing & shared as Story.

facebook sharing

4. Right after sharing this as story it was leaking file names with file paths.

Verbose error with file paths

I was not sure about acceptance this bug . Still reported and accepted. Thanks to FB security. Made my way to Facebook hof.

Thanks for reading.

Byeee

lone warrior