Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

In April of 2022, Meta announced a Contract Point Deanonimization. These guidelines are bugs that enable matching of Uniquely Identifiable Information (UII) to User IDs. This goes from finding email addresses and linking that to a profile to many other things.

Naturally, emails and other things are important for the login/signup process. So, with this new program, the author decided to take a look here.

When passing an email to the password reset functionality, there is a masked email address. While playing around with the older domain of the Enterprise version of facebook (workplace), the author noticed some slightly different functionality on it. In particular, ONLY the email address and username were supported (not the phone number).

On the old workplace domain, they tried passing valid Meta accounts but nothing worked. But, it was still using some of Facebook's account cookies, indicating that the two domains were somewhat linked. They started the flow on Facebook then used the cookies on the workplace domain.

When they visited the page for entering the OTP the email was shown in an unmasked state. This is a perfect example of an information disclosure bug that this new program is trying to fix! The actual fix was to mask the email address on the reset page and only allow OTP validation to happen on the respected domain.

Overall, it's a pretty neat bug! With these extremely large systems, the intermingling of services can cause problems. This is where the recon is incredibly important.