Skip to main content

Leaking of page store details via downloaded location data from Business Locations


Hi,
This post is regarding one of my findings in Facebook which could have allowed anyone to  access details of a page's stores by exporting a CSV.

Bug: Leaking of page store details via downloaded location data from Business Locations
POC Steps

Page Admins can download locations data from Business Locations using the link "https://business.facebook.com/ajax/editpagesx/export_children.php?id=12345&intern_tool=false" where 12345 is the page id.
This will allow them to download and view the location pages and their data connected to the main page.
Security checks were missing at this ajax endpoint which allowed me to download the locations data for any Facebook page by replacing the value of "id" parameter with victim's page id.
There were some sensitive data like Franchise, Store Number, Store Visits Measurement,Network Access Type, Location Descriptor etc  in the downloaded excel file which should be accessible only to the page admins. These details were exposed to anyone who exploits this bug.

Mitigation and Fix

Reported the bug on 11th February and  was asked about the impact of the bug after few days.
I replied mentioning that store details being exposed to arbitrary users.
The bug has been completely patched now and the endpoint returns the below error now.

for (;;);{"__ar":1,"error":1357031,"errorSummary":"This content is no longer available","errorDescription":"The content you requested cannot be displayed at the moment. It may be temporarily unavailable, the link you clicked on may have expired or you may not have permission to view this page.","payload":null,"bootloadable":{},"ixData":{},"gkxData":{},"lid":"6528771232389026446"}

 I got a nice bounty for the same!




I am thankful to the Facebook Security team for understanding the impact of the bug and for the awesome bounty :)
Report timeline

11th February, 2018 - Bug Reported
16th February, 2018 - Was asked for more details and provided the same.
21st February, 2018 - Report was on triage.
6th  March, 2018 - Bug was fixed.
14th  March, 2018- Bounty awarded. 500 USD.

Comments

  1. Bella3 October 2019 at 00:28

    Informative post. Thanks for sharing.
    Stocks4all

    📌Stocks4all.com🌐 is Coming soon............🥁🥁🎊🎉
    Follow this page to get noticed when we launch the website Few days to Go......
    Like👍 & share👥 this page to get the best information on stocks...✍️💯

    ReplyDelete

Post a Comment

Popular posts from this blog

How I could have hacked Facebook Analytics to view any Facebook page's Analytics- $7500

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to view the Facebook Analytics of any Facebook page without having any roles on the page. Bug:  Bug in Facebook Analytics which allows an attacker to view analytics of any Facebook page without having any roles on the page. POC Steps The API call to create an event source group is like below. "GET /v2.10/1234/event_source_groups?"  where "1234" is the business account id and it accepts the parameters,  name and  event_sources  . The parameter  event_sources  can contain the id of page,app,pixel or offline event set. After some testing, I found that while adding a page object as an event source, there are no security checks at this end point to check whether authorized user is making the request or not. In addition to this, I found other two end points as well which is vulnerable. 1)While making a POST request to an existing event source group. 2)A...
3 comments
Read more

Setting up tests for any App or Pixel using Facebook's Test and Learn feature

Hi, This post is regarding one of my findings in Facebook which could have allowed anyone to set up tests for apps/pixels to which he does not have any roles/access. Bug: Bug in Facebook's "Test And Learn" Feature which allows an attacker to set up tests for apps/pixels to which he does not have any roles/access and to view the test results. POC Steps Users can setup tests from the url  https://facebook.com/test-and-learn/?act=12345 where 12345 is ad account id.(Refer https://www.facebook.com/business/help/1575448755848995) The bug was in the 2nd test option "How many conversions are all my Facebook ads causing?" Click on "Set up Test", enter a test name and select any of your apps/pixel as the event source and select the schedule. The API call to setup a test is like below. "POST /v2.10/me/ad_studies?"  There were no security checks at this end point to check whether authorized user is making the request or not. In this reques...
4 comments
Read more

Oauth token validation bug in Facebook

This is my first blog post. I started bug hunting on Facebook from 2016 and got listed in Facebook's   Hall of Fame  of 2016 and 2017 for finding various bugs. I thank all the people who supported me till here especially my best friend Shaila. I will be posting my findings/thoughts here. Bug :Validation missing in "oauth_token"("facebook.com/twitter" end point) allows an attacker to link his twitter account to victim's page even after victim removes attacker's admin role on victim's page. The end point "https://www.facebook.com/twitter/?setup=1" allows a user to link his account/page to a twitter account. To link a page to twitter account, you need to go to this url and click on the "Link to Twitter" button which will generate a url which look like "https://twitter.com/oauth/authorize?oauth_token=Z2lV-AAAAAAAADeMAAABW9-WtA8" Once the user clicks on Authorize app, the account/page selected will get linked to t...
1 comment
Read more