Disclose assigned apps of any facebook user

2 months ago 24
BOOK THIS SPACE FOR AD
ARTICLE AD

Gtm Mänôz

There is a GraphQL query named AccountQualityDataSourceCardWrapperRootQuery that fetches the data sources of any facebook business account by taking the value of “assetOwnerId” as business account id. At the time of reporting, call for business account id was secured but was vulnerable for the user id.

Based on the given input for the targeted facebook user, it was possible to disclose all the assigned data sources of that user.

Send the GraphQL requests as an AJAX call in the console window.

AccountQualityDataSourceCardWrapperRootQuery:

new AsyncRequest('api/graphql/').setData({doc_id:8009820932425164,variables:'{"assetOwnerId":"FBID"}'}).send()

Response:

{"data":{"dataSources":[{"data_source_id":"AppID","data_source_name":"App_Name","asset_type":"APP","is_unavailable":false,"violations":[]}]},"extensions":{"is_final":true}}

This could have let a malicious user to disclose all the assigned apps of any facebook user.

18 Jan, 20123 — Report Sent to Facebook.19 Jan, 2023 — Triaged.3 Feb 2023 — Duplicate.

Thanks for reading my write-up 🤗 Happy Hacking 🎭️

Thanks & best regards,
Gtm Mänôz

Read Entire Article