Commerce Manager is a platform to set up a shop and manage sales on Facebook where you can create products and sell them on your page using the shop section of your pages which is managed by a business account. Your page will be linked to a business account, and from the commerce manager platform you can add your products to sell them.
In the shop section from the commerce manager platform you can customize the view of your shop that will be visible to your clients. When you create your customized view a version of this view will be added to the (Version History) option in your commerce manager shop in case you need to restore this view instead of recreating it from scratch. Each version have an ID & can be restored. Due a misconfigured graphql request we are able to add another page revision id and disclose product image.
A malicious attacker is able to disclose the image of a hidden product.
Page A - Victim - Linked to a business account and shop tab enabled on the page
Page B - Attacker - Linked to a business account and shop tab enabled on the page
Page A shop must be live
From Page B navigate to shop section in commerce manager and edit your page shop.
Create any new customized view
Now click on “Version history” where you will have two versions:
Current one (Customized in Step 3) & The Default revision.
Now click on "Default Revision" and you will notice a message will appear asking you if you want to restore this version.
Intercept the graphql POST request using Burp on the “Restore Version” button which it will looks like:
doc_id: 2803246716442201 and variables of:
"revision_id":"REVISION_ID_OF_PAGE_A", <------- The vulnerable parameter
Change the revision id to the revision id of Page A and forward the request where we will get the customized view of page A which contain the image of the product and even if it was hidden.
This happens because when you create a collection the image of the collection by default is the image of the first product added to the collection (Collection image are optional and by default it takes the product image) and if the victim page changed the product image we will also get the new image of the product.