View Other User Private Livestream Data

Facebook has a query to fetch the Livestream data.Surprisingly, it’s vulnerable to IDOR.Then I was able to view private data from other user’s Livestream.

There’s a query named “LiveProducerProviderRefetchQuery”, the query provide a lot of private data such as:

Blocked user listBroadcast configCharity data

and many more.

This query should only be used for the Livestream owner.

As far as I can remember, I just messing around Live Streaming feature that is located at https://www.facebook.com/live/producer/, what I do is intercepting requests when I access the page, and hope I’ll found a vulnerable query.

Then, I found a query named “LiveProducerProviderRefetchQuery” and noticed there’s a “videoID” parameter:

“LiveProducerProviderRefetchQuery”

Immediately I messing with it by changing the “videoID” parameter to another user Livestream ID, and boom it’s shows some private data that I mentioned above. Alhamdulillah

I strongly recommend y’all to take your time for:

Crawl a page and check your Burp “Site Map” (especially, graphql folder) or proxy history, because it may contain vulnerable query that leads to IDOR or any weird bugs.Turn on “Live passive crawl”SUSpicious queryIntercepting request when you click a button (like add friend button, delete button, etc), because the button may contain vulnerable query.SUSpicious button

July 7, 2020 — Report sent

July 16, 2020 — Triaged by Facebook team

November 12, 2020 — Bounty rewarded

April 24, 2020 — Vulnerability patched