Exposing Facebook’s Hidden Goldmine: Creators’ Private Data at Risk

2 min read4 days ago

After discovering Unauthorized access to Facebook creator’s professional dashboard bug on 30th Oct, 2022, I started digging deeper on creator’s professional dashboard further from the very next day. While exploring the payout settings of creator’s earnings, I discovered an IDOR vulnerability that leaked creators’ personal information. This bug revealed sensitive data such as email addresses, phone numbers, birthdays, associated pages and apps, banking details and many more — a true hidden goldmine.

Proof of concept

Send the GraphQL requests as an AJAX call in the console window.

new AsyncRequest('api/graphql/').setData({doc_id:REDACTED,variables:'{"id":"paymentID"}'}).send()

where, the parameter id=paymentID was vulnerable to IDOR, disclosing private information such as the creator’s email address, phone number, birthday, associated page and app, banking details and many more.

Exploiting this bug required knowledge of the specific paymentID of the creator for an attacker, which made it somewhat noisy. However, after submitting the report, I was able to identify a hidden GraphQL endpoint that directly exposed paymentID which increases the severity of the bug and hence qualified for the maximum reward.

Impact

Unauthorized access to any monetized Facebook creator’s PII

Timeline

31 Oct, 2022 — Report sent to Facebook.
31 Oct, 2022 — Triaged after 2 hours of submission.
7 Feb, 2023 — Update from Facebook as “The product team is still working on a fix for this issue as it is a bit of a complex fix.”
13 Feb, 2023 — Confirmation of patch by Facebook.
21 Feb, 2023 — Bypass sent.
21 Feb, 2023 — Triaged after 4 hours of submission.
Feb-March, 2023 —Fixed by Facebook.
25 May, 2023 — Double $$$$$ bounty awarded by Facebook for incomplete fix with hacker plus league bonus and delay payout bonus making my highest bounty reward for a single vulnerability passing the previous one from Two Factor Authentication Bypass On Facebook