Expose Facebook object type (including private objects)

Posted on

Description

This bug could allow an attacker to disclose the object type of a Facebook object ID supplied. This works for all objects supported by the Facebook API ( depending on the application which generated the access token too). This would also bypass any permission policies to view this object which means private objects like photos/videos … will work.

Impact

Due to the ability to brute-force the ids fast, this could allow an attacker to generate a dataset which contains a pair of Facebook object id and object type. Having that, he can label these objects for future attacks. ( eg: the attacker finds a bug that can get private photos, he can directly exploit this with the ids he has that match the object Photo and which are private or public)

Reproduction Steps

Setup
===
1) For this bug, it’s preferred to use a test account because the test account doesn’t have viewing capabilities for objects like pages/photos/users in the main Facebook. However, using this bug this could be bypassed which means that the bug works.

2) It’s preferred to use a first-party access_token in the bruteforcing below since it doesn’t have number of requests limitations.

Steps
==
1) Visit https://graph.facebook.com/v7.0/schema/*XXXX/.. ( dots are included)

where XXXX is the Facebook object id.

You should get “message”: “No such class: OBJECT_TYPE” where OBJECT_TYPE is the type of the object we supplied its id before

(PS : The dots can be any string. )

Please note that these ids will return null if we query them using graph.facebook.com/graphql?q=node(ID){__typename}

Some of the objects types i got:

AdAccountActivity, AdCampaignActivity, AdgroupActivity, AdReportRunV2, Album, AppLinkHost, AudioPublishingRightsData, BusinessPersona, CatalogItemOverride, CommerceMerchantSettings, ContactField, ContextualProfileBase, CrisisUserInfo, CTCert, CustomDataProperty, DeviceNotification, DynamicPriceConfigByDate, FileDescriptor

Timeline

May 22, 2020— Report Sent 
May 28, 2020—  Acknowledged by Facebook
Jun 10 , 2020— Fixed by Facebook
Jun 11, 2020 — $500 bounty awarded by Facebook.