Bassem Bazzoun

Published On: 12 Nov 2020

Disclose hidden Product Images

IDOR
Facebook | Web
---
LOW VALID

Commerce Manager is a platform to set up a shop and manage sales on Facebook where you can create products and sell them on your page using the shop section of your pages which is managed by a business account. Your page will be linked to a business account, and from the commerce manager platform you can add your products to sell them.

Description

In the shop section from the commerce manager platform you can customize the view of your shop that will be visible to your clients. When you create your customized view a version of this view will be added to the (Version History) option in your commerce manager shop in case you need to restore this view instead of recreating it from scratch. Each version have an ID & can be restored. Due a misconfigured graphql request we are able to add another page revision id and disclose product image.

Show Image

Impact

A malicious attacker is able to disclose the image of a hidden product.




Reproduction Steps

Step
1

Setup
===

Page A - Victim - Linked to a business account and shop tab enabled on the page
Page B - Attacker - Linked to a business account and shop tab enabled on the page

Page A shop must be live

Step
2

From Page B navigate to shop section in commerce manager and edit your page shop.

https://business.facebook.com/commerce_manager/YOUR_CATALOGUE_ID/shops/

Step
3

Create any new customized view

Step
4

Now click on “Version history” where you will have two versions:

Current one (Customized in Step 3) & The Default revision.

Now click on "Default Revision" and you will notice a message will appear asking you if you want to restore this version.

Show Image

Step
5

Intercept the graphql POST request using Burp on the “Restore Version” button which it will looks like:

doc_id: 2803246716442201 and variables of:
{
"input":{
"client_mutation_id":"7",
"actor_id":"---",
"cms_id":"---",
"revision_id":"REVISION_ID_OF_PAGE_A", <------- The vulnerable parameter
"workspace_id":"---"
}

 

Change the revision id to the revision id of Page A and forward the request where we will get the customized view of page A which contain the image of the product and even if it was hidden.

Show Image

Discussion

This happens because when you create a collection the image of the collection by default is the image of the first product added to the collection (Collection image are optional and by default it takes the product image) and if the victim page changed the product image we will also get the new image of the product.

Videos

Timeline
.
Bassem 27 Sep 2020

Report Sent

.
Facebook 28 Sep 2020

Need more information to reproduce Hi Bassem M, Thank you for the report and very detailed instructions.... Thanks,

.
Bassem 29 Sep 2020

More Information sent Facebook have faced some problems while reproducing the bug many times and I was asked for more information until 2020-10-21 the bug was reproduc ... See More

.
Facebook 21 Oct 2020

Triaged Hi Bassem M, Thank you for the explanation! We are sending it to the appropriate product team for further investigation. We will keep you update ... See More

.
Facebook 03 Nov 2020

Bug Fixed Hi Bassem M, We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patc ... See More

.
Facebook 12 Nov 2020

Bounty Awarded

VALID






Show All Images