I decided to analyze why I always feel insecure while using the “Login with Facebook” feature. Since they used multiple redirect URLs. But finding a vulnerability in Facebook and also having the most talented security researchers, Seem It wasn’t an easy task. That was a very tough and challenging to find a bug in Facebook […]
Read More →A year later from my previous findings I wished to revisit business manager. A lot of changes have been made. This bug is quite similar to previous Disclose App Admins. “/business/objects/fetch/permissions/users/” endpoint is used to fetch which permissions users have on asset type pages/apps etc. Meantime, call for asset type “Pages” were secured but was […]
Read More →In Facebook Business Manager, there is an endpoint that fetches the admin list particularly for pages, apps and more other assets. Meantime, call for Facebook Pages was secured but was vulnerable for the asset type apps. IDOR (Insecure Direct Object Reference) vulnerability allowed to fetch the admin list for any Facebook Application regardless of having […]
Read More →In Facebook developer application dashboard there is field “contact_email” which means to be secret and use to communication between app admin/developer and Facebook. However, accessing this field using Graph API was secured but changing query field to GraphQL call, I was able to access the Email ID of any Facebook Application. Proof of concept Request: […]
Read More →Using graph API field “business” on node type “application” to infer Business Account ID that was associated with the Facebook Application. However, the Business account is a public ID and Facebook doesn’t consider it is a privacy risk or security issue. But the bug also was valid as a malicious user can infer asset type […]
Read More →