Disclosure of Pending Roles for any Facebook Page
In this blog post i’ll explain a vulnerability named Insecure Direct Object Reference i found recently in Facebook which let me allowed to disclose pending roles for any Facebook Page.
Facebook Page’s Pending Roles:- User got invitation for a role on page but user doesn’t accepted it yet,invitation is still on pending status.
Description:-Recently Facebook launched a platform named Creators Studio,In which you can find a lot of tools which empowers you to post,monetise,manage,measure your page’s contents effectively.
So i started capturing every HTTP requests/responses inside this new platform.After sometime a GET request fascinated me:
You can reproduce the above request by clicking on Manage Page Roles button inside the Preferences tab.Anyone can clearly observe presence of parameter that we can control i.e page_id.So with help of Burp Suite’s repeater changing the value of parameter page_id with victim’s page_id and then after investigating the HTTP response you will be able to see the name and user id of invited user for a role in victim’s page(even you have no role on that page).
Impact: Any Attacker can be able to identify people invited to have a role on a particular facebook page(including celebrity’s pages).
Proof of Concept:
Responsible Disclosure Timeline:
3 Jan 2019: Report Sent
7 Jan 2019: Facebook Security Team asked for more clearer steps, Steps sent.
10 Jan 2019: Report Triaged
14 Jan 2019: Bug Fixed
6 Feb 2019: $4000 Bounty Rewarded