Leaked Credentials gives access to internalfb.com

Facebook uses a contracting company in Someplace called Something to test new and upcoming features across the Facebook family. This company uses real Facebook and Instagram profiles to test in public. A certain trivially found “flag” allows one to identify multiple Something contractors on Facebook with minimal difficulty. One of these Facebook contractors live streamed three credentials for @fb.com. A credential worked to login for internalfb.com but stopped at a 2FA screen. The logged in user even if the 2FA is required still allowed internal data to be leaked.

Steps

1. After logging in send an internal XController request

new AsyncRequest(‘/intern/something/’).setData({value:1}).send()

2. This will raise an error through a stack trace. The error essentially states I didn’t supply the correct fields for the XController. So, given a url or list of urls one could use this error to build a valid list on internal XControllers with valid fields.

Parts of this report are intentionally vague or missing to abide by Facebook.

“If you inadvertently access another person’s data or Facebook company data without authorization while investigating an issue, you must promptly cease any activity that might result in further access of user or Facebook company data and notify Facebook what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system. Continuing to access another person’s data or company data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor Provisions described below. You must also acknowledge the inadvertent access in any related bug bounty report you may subsequently submit. You may not share the inadvertently accessed information with anyone else.”

Timeline (everything that follows is verbatim unless redacted)

Reported on Thursday, February 11, 2021 at 5:54 AM (leaked credential video up for three days)
Facebook replied on Thursday, February 11, 2021 at 6:23 AM

Thank you for your submission.

We’ve managed to reproduce your report and will get back to you once we have had a chance to investigate. In the meantime could you please cease all further testing that relies on using leaked credentials, we’re well aware of the risk this poses and as always we’ll inspect the full impact of the issue from our side.

Could you also share the link of the livestream where this was leaked?

I replied on Thursday, February 11, 2021 at 6:26 AM with the video link
I replied on Thursday, February 11, 2021 at 6:47 AM with am MDM config I obtained via a next video same owner

Facebook replied on Tuesday, February 16, 2021 at 4:56 AM

We have looked into this issue and believe that the vulnerability has been patched. The video has been taken down and the credentials have been invalidated. The MDM config for Seqrite you found is not related to Facebook.
Please let us know if you believe that the patch does not resolve this issue. We will follow up regarding any bounty decisions soon.

I replied on Thursday, February 25, 2021 at 7:03 AM asking for disclosure

Facebook replied on Tuesday, March 2, 2021 at 2:25 PM

Thank you for sharing these details. Someone from the team will get back to you regarding your questions. Thank you for you patience.

Facebook replied on Tuesday, March 2, 2021 at 3:45 PM

Thank you for your patience. We’re still looking into this and hopefully we’ll get back to you later in the week.

I replied on Thursday, March 4, 2021 at 5:13 AM

I’m pulling the response given at whitehat.workplace.com and using this as the basis.

“Hey Phillipe,

“As for publishing the sensitive information in the writeup goes, our legal team has advised the following:

If you inadvertently access another person’s data or Facebook company data without authorization while investigating an issue, you must promptly cease any activity that might result in further access of user or Facebook company data and notify Facebook what information was accessed (including a full description of the contents of the information) and then immediately delete the information from your system. Continuing to access another person’s data or company data may demonstrate a lack of good faith and disqualify you from any benefit of the Safe Harbor Provisions described below. You must also acknowledge the inadvertent access in any related bug bounty report you may subsequently submit. You may not share the inadvertently accessed information with anyone else.”

Facebook replied on Thursday, March 11, 2021 at 2:09 PM

Apologies for the delay. We have discussed the issue at length and concluded that this is out of the scope for out bug bounty program since it is not considered as a security vulnerability and the impact here was minimal because without 2FA you can’t access our internal infrastructure.

The information you got from Whitehat Workplace is accurate. The data you accessed is considered as a personal data and as such you’re not allowed to publicly share it. You’re free to write a blog about the general issue you found but posting the raw information would be in violation of our terms.

I would also like to clarify that your actions did demonstrate a good faith since you ceased any further investigation.

Thanks