Disclose the email address and phone number of chinese business reseller

There is a XController that shows the resellerInfoSpecMap of a Chinese business reseller. The resellerInfoSpecMap contains email address and phone number of few Chinese business resellers.

Proof of concept

Send the below HTTP POST request as an AJAX call in the console window.

new AsyncRequest('https://www.facebook.com/china_businesses/onboarding/pre_flow_fetch').send()

The response from this request will disclose email address and phone number of few Chinese business resellers.

The above endpoint was found in one of the Js file via the XChinaBusinessGraphOnboardingPreFlowFetchController XController

__d("XChinaBusinessGraphOnboardingPreFlowFetchController", ["XController"], (function(a, b, c, d, e, f) {
 e.exports = b("XController").create("/china_businesses/onboarding/pre_flow_fetch/", {
 reseller_name: {
 type: "String"
 }
 })
}

Impact

Personal information disclosure

• 24 Nov, 2023 — Report sent to facebook.
• 28 Nov, 2023 — Triaged.
• 21 Dec, 2023 — Bounty awarded by facebook.
• 19 Mar, 2024 — Requested facebook to update about the fix.
• 11 Apr, 2024 — Informative by facebook.