A Pakistani Former Black Hat – Haider Qureshi, gets reward of 500$ from Facebook under Bug Bounty Program for reporting HTML Injection on Facebook.
Beneath are the parts of Bug furnish by the Researcher to The Hackers Post.
[#] -Vulnerability Title:
HTML Injection
[#] -Vendor homepage:
http://m.facebook.com
[#] -Remote/Local:
Remote
[#] -Tested on:
Windows 7 64 bit Firefox browser (however may as well have finalized other OS and programs (not certain about IE))
[#] -Vulnerability Submitted:
12/1/2013
[#] -Vulnerability Status:
FIXED
[#] -Vulnerable Parameter:
https://m.facebook.com/survey.php?incorrect_brand¶ms=
Facebook portable furnishes a review to assess the versatile client experience as they surf facebook portable site. Here is the survery connection: https://m.facebook.com/survey.php .
While dropping in the cellular telephone marks , it furnishes a record of marks in the event that you didn’t sort the right mark.
The record that was given held their HTML code inside the parameter
https://m.facebook.com/survey.php?incorrect_brand¶ms=[HTML code of Brands and Radio Buttons]
Remote User can include any mark Name and Radio catches, subsequently permitting Remote HTML infusion. It was as basic as it sounds. This could additionally bring about adding trash passages into to database subsequently bringing on spam, in light of the fact that remote client can include entrances and submit.
Underneath is the screenshot of a bit of definite POC Researcher submitted to Facebook:
The first reply he got from facebook.
The second reply which he got from Facebook security team is below anf he got eligible for facebook bug bounty program. So a formerhacker gets reward $500 from Facebook security team.
There is expand climb in dark caps adapting their sizes towards bug reporting instead of misusing them.
About Security Researcher Haider:
Haider Mehmood Qureshi is a BS Computer Sciences Student from Comsats Intitute Islamabad, He do freelancing as Penetration Tester, Started studying pentesting/hacking in 2009. At first, he was into destroying online sites just for the sake of entertainment, later acknowledged to make Pentesting/Security examining as my profession. You can contact security specialist here.