Workplace Logo ID to workplace owner name Disclosure Facebook Bug Bounty

Hi It’s me Ajay Gautam, Security Researcher at Saycure and currently studying BIT (Hons) Computing. Today, I am going to share one of mine Facebook valid issue that I discovered in 2018.

I was able to see the workplace owner name via their logo ID, if the ID of the workplace logo was identified.

While we replace the event’s cover picture id to workplace logo id of other’s then, guess what happened? I was surprised seeing owner’s name in the response.

Workplace owner can only upload the logo of its workplace and the ID disclosed in workplace is the ID of admin itself.

So, during the journey of the vulnerability, Firstly, i created an event on my own workplace…

Then after, I uploaded a cover picture in the event and opened it in new tab.

After the cover picture was uploaded successfully, I replaced the fbid with the workplace logo id of another workplace
 and the url link displayed as mentioned below:
 https://workplace.facebook.com/photo.php?fbid=111128102791845&set=gm.1078085585673352&type=3&theater

And finally owner name was disclosed.


Timeline

  • Reported — May 31, 2018
  • Triaged — Jun 16, 2018
  • Bounty Awarded — Oct 9, 2018

Please see the POC video for the detail clarification of the vulnerability.