1. Summary
I found a bug in Facebook that allowed me to upload any kind of file. Also the picture or Link I send thru that method would not be filtered or scanned for virus/pornographic. And later I also discovered it would allow me to download files from facebook server.
2. Report Submitted
Title
Bypass Pornographic/illegal image share filter on message
Vuln Type
Other
Product Area
Facebook - Web
Description/Impact
Complete Details
===
Hi.
Facebook block people from sharing child porn and other illegal graphics via message or post. I guess it uses some AI to filter image and block/delete/disable them. But I found a way by which anyone can share illegal images on facebook. Not only that but also it displays a big 'GIPHY' banner on image which makes bad reputation of their product.
Impact
===
Sharing of illegal stuffs, putting false source banner on resources,
Repro Steps
Setup
===
Users: Sender, Victim
Environment: Sending normal message to user via browser messenger
Browser: Chrome v79.0.3945.117
OS: Win 10 x64
Description: I just sent a normal message and interpreted it with burp suite
Steps
Step 1. Open and configure burp suite
Step 2. Go to facebook.com/messages/t on browser
Step 3. Open GIF sender but don't send GIF
Step 4. Turn on interceptor in burp suite
Step 5. Change the GIF source url with bad image and send
This way I can send any bad image to any user and won't get blocked and also image will be marked as GIPHY image which may lead to violation of GIPHY terms for facebook.
I have also attached Video demonstration
3. Video Demonstration
4. More about report
About a day later after i submitted the report, I was just playing with the bug and I discovered I could include the file from the server and download anyfile from facebook server. However they told me the file included was from CDN server (Where user uploaded photos/videos are saved) and not the main server of the facebook so it won't be that much risk and they rated my report as high severity. If it was actual server it would have got Critical severity. Anyways here's what I told in reply to my report,
Reply
Hello,
I found that i can include any file from server with this method and download it. I can just change GIF file url to any file path in facebook server and it will send a copy of file from server and I can download it. This way I can download codes or files from facebook server or facebook script. Please check it. Try adding server path (For e.g. /etc/passwd) instead of GIF url and it will send the file and you can download it.
5. Conclusion
I was lucky to find the LFI while the report was still in progress/ not triaged. However some programs may not accept more impacts to the report once they have been triaged which will lead to less reward and less severity rating. So I suggest you all to check the bug/exploit for some time before reporting it. Do not hurry, after you find the bug play with it(Make sure to follow rules and regulations) try to find more impacts which will help in better rewards and rating.