Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to view the Facebook Analytics of any Facebook page without having any roles on the page. Bug: Bug in Facebook Analytics which allows an attacker to view analytics of any Facebook page without having any roles on the page. POC Steps The API call to create an event source group is like below. "GET /v2.10/1234/event_source_groups?" where "1234" is the business account id and it accepts the parameters, name and event_sources . The parameter event_sources can contain the id of page,app,pixel or offline event set. After some testing, I found that while adding a page object as an event source, there are no security checks at this end point to check whether authorized user is making the request or not. In addition to this, I found other two end points as well which is vulnerable. 1)While making a POST request to an existing event source group. 2)A...
I am Neeraj Gopal. I'm a Security Analyst at Facebook. I'm interested in web application security. I like finding loopholes in Web applications and participating in various bug bounty programs. My posts are my own and do not necessarily reflect the views and opinions of my employer.