Disclosing Facebook page admins by playing a game

1 year ago 77
BOOK THIS SPACE FOR AD
ARTICLE AD

Hello there, It’s been a long time since I wrote any article on my resolved reports due to some internal problems so today I’m going to write about a bug in Facebook(now Meta) which I had found nearly 2–3 years ago . The vulnerability got resolved and fixed few months ago and I was seeking for some ways to bypass it so it took some time for the publish.

I found a medium impact privacy bug on Facebook where I was able to leak page admin’s personal account id by playing a game with them(Instant Games).

The Bug :
There was a feature in Facebook messenger associated with Facebook Instant games which allowed users to play games with their friends through the Messenger app . I was able to use this ability to create a game play between page and attacker which is an unintended thing to be and it resulted in disclosure of the page admin.
Though it requires some user interaction from the page like clicking the game and playing it , It is however a unique way of approach by an attacker to disclose the admin .

Impact:
It leads to page admin disclosure which is a privacy issue to the page. The impact is high because the page’s admin information is meant to be kept private and not shown to the public.

Affected app: CreatorStudio app version — 25.0.0.42.106

Setup:
Users: UserA , UserB , UserC , PageX
Environment: UserA is the attacker , UserB is any friend of UserA , UserC is the Admin of PageX and UserC uses CreatorStudio App to check inbox of PageX

Repro Steps:

1. UserA(attacker) sends a “Play a Game” message to UserB by going to www.messenger.com > www.messenger.com/t/{userB_id} and clicking on “ Play a game “ option .
2. UserA then intercepts the request and clicks on any game .
3. Now a POST request is sent with doc_id=3037811092958141 where UserA replaces “contextSourceID “ , “context_source_id” and “thread_id” with page_id of PageX and forwards the edited request .
4. Now UserC(PageX admin ) opens CreatorStudio app and Checks the Page inbox and clicks on the Game to play it .
5. A game session between the attacker and Page is now created .
6. The page plays one round . Then the score is sent to attacker(UserA) by UserC instead of PageX. Attacker(UserA) will receive one message and notification that {page_admins_personal_id} played the game . Thus it leads to page admin disclosure as the game is played by the admin_personal_id instead of Page_id .

vulnerable parameters

Here is the poc : https://youtu.be/Yt6bc41dSec

After some time of the report the Instant Games feature in messenger was removed as they were switching to Facebook Gaming Tab .
You can check out this article by Leo to learn more about the migration here : https://www.facebook.com/fbgaminghome/blog/instant-games-platform-update
Engadget and Business-Standard has also covered this story .

Timeline:

Initial report sent: August 23, 2020
Fb asked for more info : August 29, 2020
Additional info sent: August 29, 2020
More info sent(I found out that it was doing something with the timestamps which resulted in the bug reproducible only when the request is modified within 17–20 seconds): September 11, 2020

Fb team asked for more info: September 15, 2020
Sent more info with updated poc: September 15, 2020
Pre-triaged: September 21, 2020
Triaged: September 25, 2020

Bounty rewarded(without fix): 500$ on January 15, 2021

Bounty dispute : January 15, 2021
Bounty rewarded again : 1500$ on March 5, 2021

I was amazed by this message xD

Fixed: March 6, 2021
Asked for public disclosure: May 10, 2021
Facebook working on a more holistic fix: September 2, 2021

Fixed finally: November 29, 2022

Resolved: December 7, 2022

So in total, I received a bounty of 500$ + 1500$ + 75$ = 2075$. I was thrilled to receive the bounty notification at that time, as it allowed me to purchase a phone of my own choice which helped me testing further .

See ya hehe xD
Read Entire Article