Confirming any new Email/Mobile Number bug in Facebook (Part-1)

This post is about an bug that i found on Facebook which could have been used to confirm any new Email/Mobile Number. The Source idea for this bug i got from josipfranjkovic race condition blog post.

When i was testing in account registration and confirmation flow. i tried to brute force the 5digit OTP code. but after several attempts server blocked me.so i tried to test with different scenario like in the above blog.

i started to change randomly my email and the testing email address. and also tried with different browser when i checked my email noticed that Getting back to Facebook mail but the 5digit code is same as in my testing email address. but i don’t know how it happened.

so once again i tried all the steps i done and finally found the reproduction method. then tested the bug with both of the Email and Mobile Number it worked perfect.

Steps:

1. Create a new account with “attacker email” that you can access (ex:alpha@gmail.com)

2. Go to setting and change the email to “victim email” that you can not access (ex: beta@gmail.com)

3. Open another browser and try to login as “attacker email” with incorrect password.

4. Now check the attacker email “Getting back to Facebook” email will be received.

5. The 5 digit code in the link was “victim’s email” confirmation code

6. Just enter the code and the “victims email” was confirmed.