Facebook - Unrestricted File Upload

I found a bug in Facebook that allowed me to upload any kind of file. Also the picture or Link I send thru that method would not be filtered or scanned for virus/pornographic. And later I also discovered it would allow me to download files from facebook server.

Title

Bypass Pornographic/illegal image share filter on message

Vuln Type

Other

Product Area

Facebook - Web

Description/Impact

Complete Details
===
Hi.
Facebook block people from sharing child porn and other illegal graphics via message or post. I guess it uses some AI to filter image and block/delete/disable them. But I found a way by which anyone can share illegal images on facebook. Not only that but also it displays a big 'GIPHY' banner on image which makes bad reputation of their product.

Impact
===
Sharing of illegal stuffs, putting false source banner on resources,
 

Repro Steps

Setup
===
Users: Sender, Victim

Environment: Sending normal message to user via browser messenger

Browser: Chrome v79.0.3945.117

OS: Win 10 x64

Description: I just sent a normal message and interpreted it with burp suite

Steps
Step 1. Open and configure burp suite

Step 2. Go to facebook.com/messages/t on browser

Step 3. Open GIF sender but don't send GIF

Step 4. Turn on interceptor in burp suite

Step 5. Change the GIF source url with bad image and send

This way I can send any bad image to any user and won't get blocked and also image will be marked as GIPHY image which may lead to violation of GIPHY terms for facebook.

I have also attached Video demonstration

About a day later after i submitted the report, I was just playing with the bug and I discovered I could include the file from the server and download anyfile from facebook server. However they told me the file included was from CDN server (Where user uploaded photos/videos are saved) and not the main server of the facebook so it won't be that much risk and they rated my report as high severity. If it was actual server it would have got Critical severity. Anyways here's what I told in reply to my report,

Reply

Hello,

I found that i can include any file from server with this method and download it. I can just change GIF file url to any file path in facebook server and it will send a copy of file from server and I can download it. This way I can download codes or files from facebook server or facebook script. Please check it. Try adding server path (For e.g. /etc/passwd) instead of GIF url and it will send the file and you can download it.

I was lucky to find the LFI while the report was still in progress/ not triaged. However some programs may not accept more impacts to the report once they have been triaged which will lead to less reward and less severity rating. So I suggest you all to check the bug/exploit for some time before reporting it. Do not hurry, after you find the bug play with it(Make sure to follow rules and regulations) try to find more impacts which will help in better rewards and rating.