Description
This bug could allow an attacker to disclose the object type of a Facebook object ID supplied. This works for all objects supported by the Facebook API ( depending on the application which generated the access token too). This would also bypass any permission policies to view this object which means private objects like photos/videos … will work.
Impact
Due to the ability to brute-force the ids fast, this could allow an attacker to generate a dataset which contains a pair of Facebook object id and object type. Having that, he can label these objects for future attacks. ( eg: the attacker finds a bug that can get private photos, he can directly exploit this with the ids he has that match the object Photo and which are private or public)
Reproduction Steps
Setup
===
1) For this bug, it’s preferred to use a test account because the test account doesn’t have viewing capabilities for objects like pages/photos/users in the main Facebook. However, using this bug this could be bypassed which means that the bug works.
2) It’s preferred to use a first-party access_token in the bruteforcing below since it doesn’t have number of requests limitations.
Steps
==
1) Visit https://graph.facebook.com/v7.0/schema/*XXXX/.. ( dots are included)
where XXXX is the Facebook object id.
You should get “message”: “No such class: OBJECT_TYPE” where OBJECT_TYPE is the type of the object we supplied its id before
(PS : The dots can be any string. )
Please note that these ids will return null if we query them using graph.facebook.com/graphql?q=node(ID){__typename}
Some of the objects types i got:
AdAccountActivity, AdCampaignActivity, AdgroupActivity, AdReportRunV2, Album, AppLinkHost, AudioPublishingRightsData, BusinessPersona, CatalogItemOverride, CommerceMerchantSettings, ContactField, ContextualProfileBase, CrisisUserInfo, CTCert, CustomDataProperty, DeviceNotification, DynamicPriceConfigByDate, FileDescriptor
Timeline
May 22, 2020— Report Sent
May 28, 2020— Acknowledged by Facebook
Jun 10 , 2020— Fixed by Facebook
Jun 11, 2020 — $500 bounty awarded by Facebook.