User’s location diclosure in the “Nearby Friends” feature. $15,500 Bounty
Hello guys my name is Yavor Rusev and i am doing this writeup as a newbie in the Bug Bounty programs.
As a 3D Artist and Digital Marketing expert i have moderate skills in web security and etc, but these vulnerabilities are not associated with deep code inspection and etc. They are just functional bugs that revealed location of users in the Nearby Friends feature in Facebook.
How it all started, in the end of february I noticed that I can see the location updates of friends with turned off Nearby Friends by going to the search feature in the Nearby Friends product. I knew it’s serious bug but at this time I thought it’s just my phone or some “one day” glitch.
But I kept seeing the location updates of friends that never turned on the Nearby Friends in their life just by going to the search feature, so I installed a fresh copy of Facebook on another phone and voala I could still see my friend’s location… I felt sorry for my close friends and told them about the issue and advised them to turn off their LOCATION straight from their phone, because they could have probems with girlfriends and etc. Literally 30% of the Facebook users worldwide were walking GPS systems, as soon as they open their Facebook app, their location was updated in the search feature in Nearby Friends.
So I decided to move on, my first report was on 8th of March, first it was pretty hard to explain this to the Facebook team, as they said they can’t reproduce it and this location is just the last one recorded before the Nearby Friends feature was turned off. But after I made them a video with White Hat users of the actual problem, the issue was reproduced and sent to the product team for further investigation.
This is the actual private video I sent to the Facebook team :
After the issue was fixed , everything looked normal…
I Was waiting two weeks for a bounty decision and never recieved it so i was bored and kept investigating the Nearby Friends product, because actually that product was a complete mess… almost every setting had location leak, I noticed even after the initial fix , the two settings “Specific Friends” and “Friends Except” were also affected by that “Search” feature problem. So a new report was made.
— — — — — — — — — — — — — — — — -
This is the actual report :
While i was waiting my bounty decision for the initial problem, i found more vulnerabilities in the “Nearby Friends” product.
There is still more issues to fix :
1. Now there is a problem with the options share location with “Specific Friends”
Try to reproduce it the following way
User A and B are a couple. “User A” decides to share his nearby friends location only with “User B” via the option
Share location with specific friends. Everything is good in the main window “User A” can see only “User B” and by the privacy rules only “User B” should see the location of “User A”
but if you activate Nearby Friends on “User C” ( the stalker ) you go to the main menu of NBF and cant see “User A”, but again
like before when you search for “User A” in the search tab you can see his “private” location updates in the search list ( 2km 2min ago). And again the same issue have similar symptoms, then “User C” clicks on “User A” it doesnt show him the map, only redirects him to the main window, but “User C” can clearly see “User A” location updates in the search list.
2. Another similar problem with the option “Friends Except”
Try to reproduce it the following way
“User A” wants to hide his location from his boss “User B” and adds him to “Friends Except” list.
The situation is the same, “User B” cant see “User A”’s location in the main “Nearby Friends” window, but when he goes
to the Search tab he can clearly see “User A” location updates in the search list, despite “User A”’s decision to hide his Nearby Friends Location from “User B”.
I am sure guys can fix this quick, because all those privacy issues are pretty serious, and they violate the user’s privacy decision for such
important info like their location.
I hope i was helpful with this one.
— — — — — — — — — — — — — — — — — — —
*The second report was quickly reproduced and fixed and recieved 5000$ bounty for it. ( at this time i was still waiting for my first report bounty decision )
So i was quite happy that two of the reports were fixed and I was sure there is more pending problems so I kept inspecting Nearby Friends feature and I noticed that when user is on PAUSE , unintended friend can see his location updates again via the”Search” list feature in the Nearby Friends product.
— — — — — — — — — — — — — — — — — -
This is the actual report for the third vulnerability :
“Nearby Friends” PAUSE feature not working properly, User’s location disclosed while on pause.”
Privacy / Authorization
Facebook — Android
Hello Facebook Team, I already reported two vulnerabilities in Nearby Friends product, both of them got fixed, one bounty decision still pending, one bounty issued.
While I was waiting my bounty decision on my first reported issue I kept investigating NEARBY FRIENDS feature.
With few words, if user decides to PAUSE his location for 1h , 8h or 24h or whatever, facebook shows up message that “You are currently not sharing your location” , but this is not quite right, while on PAUSE, an unintended friends can see “USER A” location updates in the “Search” feature despite USER A decision to pause his “nearby friends” !
Try to reproduce it the following way :
1. Turn ON “Nearby Friends” on USER A
2. Pause “Nearby Friends” on USER A
3. Turn ON “Nearby Friends” on USER B
4. In main window of “NEARBY FRIENDS” USER B cant see USER A’s location but when USER B goes to the search feature he can clearly see USER A updates, despite USER A is on PAUSE.
Malicious Friend can see location updates of friends that have NEARBY FRIENDS feature on PAUSE and dont want their location to be exposed in the range of the specific time. This could lead to serious info leak like victim’s location.
— — — — — — — — — — — — — — — — — — — — — — — — — — — —
This third report was quikly triaged by FB team and fixed in few days.
*Meanwhile I recieved 5250$ bounty ( including the bonus ) for the first vulnerability
*Soon after I recieved 5250$ bounty ( including the bonus ) for the third bonus
REPORTS TIMELINE :
FIRST REPORT -
8 March — Reported location disclosure in almost every user with turned off Nearby Friends
23 March — Bug reproduced
24 March — Send to the produt team
7 April — Bug Fixed
3 June — Bounty 5000$ awarded
SECOND REPORT -
23 April — Report sent for Friends Except and Specific Friends settings
1 May — New Bug Triaged by Fizz
5 May — Big Fixed
12 May — Bounty 5250$ awarded ( including bonus )
THIRD REPORT -
20 May — Report sent for location disclosure in PAUSE feature
20 May — Reproduced by FB team
22 May — Sent to the product team
1 June — Fixed
11 June — Bounty 5250$ awarded ( including bonus )