Skip to main content

Hijacking Friend Requests Facebook: White Hat ./FamilyGuy

Facebook BugBounty: Intercept incoming friend requests of Victim add/accept to your facebook account:

Product/URL: Facebook android app on facebook

Description and Impact
The issue:
Missing authorisation check while accessing friend request API on android app, an attacker can add friend requests of any facebook user into his own account.
in simple words Peter says:

Wait, what, no, no, Peter is a nice fellow.
Peter: Ok, but still 
Its like I can intercept and accept friend requests from someone which was send to some other user via Facebook send friend request to contacts option.

Let's report!!
X sends friends request by contacts option to Y.
And I can get the request which was send to Y and become friend with X.

Reproduction Instructions/Proof of Concept:
1. install latest android app. 
2. Create new account. 
3. Enter a random mobile number[victim's].
4. Enter a good name.
5. Enter gender.
6. You can skip uploading photo as well as uploading contacts.
7. As soon as you land on fb home page you can go the friend tabs and can see the friend request that were send to X from Y.
8. You can accept the friend request of Y and Y is your friend.

This bypasses fb authentication to add friends from contact, the valid check to confirm the contact number should come before landing on the home page. Else one can easily accept friend requests thus getting their personal details that are actually meant to be shared with the friends.

Reported to Facebook: 25th August 2016

First reply:
Second reply:
Fix Confirmed:
Mitigation: user was asked to confirm the mobile number, before the friend requests accessibility was allowed.

Bounty Awarded:
Meanwhile Lois:
 and Stewie :D
and me :

Thanks Facebook Security for the quick resolution and an awesome program:
./Family Guy


  1. well, this was scary. You would have known easily who all were stalking girls :D
    and also having access to the friends only content, am still interested how much facebook paid for !

    Nice one, Family Guy :)


Post a Comment

Popular posts from this blog

Missing Authorization check while deleting App Review for Marketing API: Facebook Whitehat

Missing Authorization check while deleting App Review for Marketing APIPeter, was enjoying the weekend, and he heard Lois screaming.
Hey, Peter, when are we getting new Television:
Well, huh!!! Alright…
Let's find something Honey :p 
Facebook has an option for App Review for Marketing API:
This privilege is only given to app admin:
App Review can only be submitted by app admins. Please contact an admin on the app to submit this app for review.
A developer can change the app submission settings which can only be done by an admin and can also play with current submission settings.
here's the official documentation:
Facebook developer's documentation
The authorization check for the developer is missing on backend for the add/delete requests.
Peter being a developer was able to delete the added submissions(despite of having them disabled on front end)
Steps to replicate:1. create a test app,
2. add admin A and developer B
3. from developer B’s account go to

Facebook WhiteHat: Able to access group plan details even after leaving the group.

Facebook WhiteHat: Able to access group plan even after leaving the group.Product/URL:[group_messagesID]Description and Impact Facebook messages has an option to create group, where a user can add multiple friends to chat, plan share pictures together.
Whenever a user is not a part of the group, he is not allowed to see the updated information of the group.
However one can still access the group plan even when not in a group.
Peter, is it?
Reproduction Instructions/Proof of Concept We have two test accounts, (test A) and (test B)
1. Test A Creates a new Group, Test Group, add members.(test B, test C ) 2. Test A creates a plan in group, with date, venue and plan name. 3. There is some argument between Test A and Test B, and Test B leaves the group. 4. Test A and Test C decides to change the plan venue as Test B was already aware of the all plan details. 5. Test A changes the plan venue and date, however Test B can see the plan updated information.