Just Another Security/Programming Blog: May 2014

Monday, 26 May 2014

Facebook "Skype-to-Email" leak [$3,000 Bounty]

Facebook Bug Bounty

 

 

 In the middle of January of 2014, I submitted a bug to Facebook through its bug bounty program.



The bug was effectively a Skype account email disclosure. You would find somebodies Skype name, add them on Skype(they didn't have to accept you), and then login to Facebook with your Skype.



Here's a look at how it worked exactly:



In Facebook's "Find Friends" feature, you can login to your Yahoo,Outlook,Skype, and other accounts to add people into your contacts list on facebook(and then in turn add them, I guess).

The feature in question

By logging into your skype account on the feature, and pressing "Find Friends", you were submitted to the next page.

Sunday, 25 May 2014

SQL Injection on eBay.com.au subdomain / eBay.de, eBay.fr subdomains

eBay



Whilst looking for some bugs in ebay.com and ebay.com.au, I came across the domain http://3.ebay.com.au/. It appears to be a domain for phone users on the old "Three" phone carrier/network, but I'm unsure. Three was bought out by Vodafone awhile ago.

The website is the exact same as http://imode.ebay.de/, http://imode.ebay.fr/, etc.
The database itself was most likely part of http:// ebay.com/, too.


On the third tab of the page, there's a link to the 'Categories' section. -- If anybody has ever used eBay before, they would understand what this is; a list of categories as to where you can view items to buy.(Or in this case, go into a sub-category.)

Instinctively, I saw that there were a few $_GET parameters being used, so I just put a simple apostrophe into the end of the first parameter, "emv_CatParent".
To my amazement, it came back with a half-completed page. -- Pretty much the poster-child of a blind SQL Injection.