Disclosure of Pending Roles for any Facebook Page

In this blog post i’ll explain a vulnerability named Insecure Direct Object Reference i found recently in Facebook which let me allowed to disclose pending roles for any Facebook Page.

Facebook Page’s Pending Roles:- User got invitation for a role on page but user doesn’t accepted it yet,invitation is still on pending status.

Description:-Recently Facebook launched a platform named Creators Studio,In which you can find a lot of tools which empowers you to post,monetise,manage,measure your page’s contents effectively.

So i started capturing every HTTP requests/responses inside this new platform.After sometime a GET request fascinated me:

https://business.facebook.com/media/manager/page_admin_roles/?page_id=123450000&page_name=Your_page_name&fb_dtsg_ag=token&__user=100001234567&__a=1&__dyn=abcd1234xyz&__req=z&__be=1&__pc=PHASED%3ADEFAULT&dpr=1&__rev=4662096&jazoest=28106&__spin_r=4662096&__spin_b=trunk&__spin_t=1546532826 HTTP/1.1

You can reproduce the above request by clicking on Manage Page Roles button inside the Preferences tab.Anyone can clearly observe presence of parameter that we can control i.e page_id.So with help of Burp Suite’s repeater changing the value of parameter page_id with victim’s page_id and then after investigating the HTTP response you will be able to see the name and user id of invited user for a role in victim’s page(even you have no role on that page).

Impact: Any Attacker can be able to identify people invited to have a role on a particular facebook page(including celebrity’s pages).

Proof of Concept:

Responsible Disclosure Timeline:
3 Jan 2019: Report Sent 
7 Jan 2019: Facebook Security Team asked for more clearer steps, Steps sent. 
10 Jan 2019: Report Triaged 
14 Jan 2019: Bug Fixed 
6 Feb 2019: $4000 Bounty Rewarded

Thanks