Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to access details of a page's stores by exporting a CSV. Bug: Leaking of page store details via downloaded location data from Business Locations POC Steps Page Admins can download locations data from Business Locations using the link "https://business.facebook.com/ajax/editpagesx/export_children.php?id=12345&intern_tool=false" where 12345 is the page id. This will allow them to download and view the location pages and their data connected to the main page. Security checks were missing at this ajax endpoint which allowed me to download the locations data for any Facebook page by replacing the value of "id" parameter with victim's page id. There were some sensitive data like Franchise, Store Number, Store Visits Measurement,Network Access Type, Location Descriptor etc in the downloaded excel file which should be accessible only to the page admins. These de...
I am Neeraj Gopal. I'm a Security Analyst at Facebook. I'm interested in web application security. I like finding loopholes in Web applications and participating in various bug bounty programs. My posts are my own and do not necessarily reflect the views and opinions of my employer.