Facebook BugBounty — Disclosing page members

Because of some privacy reasons, identity of page members (admins/mods/analysts) is kept secret by facebook and normal page visitors cannot find the details about these members. But.. back in July 2018, when I was hunting for bugs in Facebook, I found multiple ways to disclose members of a facebook page.

Disclosing post creators with 'Get messages' feature

This feature named “Get Messages” is available in Facebook pages when uploading posts and stuffs.

Get Messages feature

Mainly e-commerce and online shopping websites use this feature with one of their product so whenever a visitor wants to know more about that particular product, they can simply click on “Send message” button. A post with this feature enabled looks something like below screenshot.

A post with “Get messages” feature enabled

The bug here is, if we click on this “Send message button”, profile ID of the creator is leaked in one of the responses coming from host https://x-edge-chat.facebook.com which is not visible in general..

Inbox demo

.. but if we check burp suite logs, we can see that the ID of creator is leaked.

Creator’s profile leaked

In the above screenshot, 100027117349417 is the ID of my test account.

Impact?

This particular bug is really easy to exploit and if an attacker needs to find the creator of a Facebook page, s/he can just go to the page, find posts with this feature enabled, click on send message button, check the logs and BOOM profile ID of the creator is disclosed.

Timeline

6th July 2018: Issue found and reported.

10th July 2018: First Reply by Facebook Security

11th July 2018: Issue triaged

27th July 2018: Issue fixed

4th Sep 2018: Bounty awarded *Nice bounty :P*


Disclosing the identity of people sending message on the behalf of page

When I was going through Burp Suite logs to report the above issue, I noticed this weird response too.

Unknown_response.png

I was pretty sure this was something else and could lead to another leak so I just saved this screenshot and decided to look into this issue later.

*Fast forward to 1 week later*

I tried to reproduce this issue by simply sending a message to the page as a normal visitor..

Sending message to a page as normal visitor

.. and replied from the page

Replying to the above visitor from page

As soon as I recieved this “Hello visitor” message, I checked Burp Suite logs and saw this exact same response like before.

Message senders’ profile leaked

Here, 100027405052940 is the profile ID of page member who replied “Hello visitor”. This means.. You send a message to a Facebook page, someone who has ability to read/reply messages replies to you and immediately his profile ID is leaked.

Surprised Pikachu

Impact?

Very very very easy to exploit. Anyone can just randomly send message to a facebook page, someone replies to that message and BOOM, their profile ID is leaked. ;)

Timeline

6th Jul 2018: Initial Discovery of bug

14th Jul 2018: Mystery behind the ‘leak’ found and reported

18th Jul 2018 3:37 AM: Issue triaged

18th Jul 2018 10:53 PM: Issue fixed

1st Aug 2018: Bounty awarded


That’s all for 2018. I hope to dive more into Facebook BugBounty program in 2019 ❤

Thank you for reading this post. If you have any queries/suggestions, I’m available on Twitter :)

Happy Hacking!! .. until next time.