Category: Security

Facebook OAuth Framework Vulnerability

I decided to analyze why I always feel insecure while using the “Login with Facebook” feature. Since they used multiple redirect URLs. But finding a vulnerability in Facebook and also having the most talented security researchers, Seem It wasn’t an easy task. That was a very tough and challenging to find a bug in Facebook […]

Read More →

Determine users with detailed role model on behalf of any Facebook Application

A year later from my previous findings I wished to revisit business manager. A lot of changes have been made. This bug is quite similar to previous Disclose App Admins. “/business/objects/fetch/permissions/users/” endpoint is used to fetch which permissions users have on asset type pages/apps etc. Meantime, call for asset type “Pages” were secured but was […]

Read More →

Disclose Full Admin List of any Facebook Applications

In Facebook Business Manager, there is an endpoint that fetches the admin list particularly for pages, apps and more other assets. Meantime, call for Facebook Pages was secured but was vulnerable for the asset type apps. IDOR (Insecure Direct Object Reference) vulnerability allowed to fetch the admin list for any Facebook Application regardless of having […]

Read More →

Disclose contact_email of any Facebook application

In Facebook developer application dashboard there is field “contact_email” which means to be secret and use to communication between app admin/developer and Facebook. However, accessing this field using Graph API was secured but changing query field to GraphQL call, I was able to access the Email ID of any Facebook Application. Proof of concept Request: […]

Read More →

Disclose Facebook Business Account ID

Using graph API field “business” on node type “application” to infer Business Account ID that was associated with the Facebook Application. However, the Business account is a public ID and Facebook doesn’t consider it is a privacy risk or security issue. But the bug also was valid as a malicious user can infer asset type […]

Read More →