Chris Laconsay

Published On: 17 May 2019

De-anonymizing Facebook Employee Who Created Crisis Fundraiser

Privacy/Authentication
Facebook | Web
---
LOW VALID
Description

It is possible for a malicious user to see who created the Crisis fundraiser. This type of fundraiser are created internally by a Facebook employee.

Impact

This could have allowed malicious user to see who created the Crisis fundraiser which in some cases is a Facebook employee.




Reproduction Steps

Step
1

Step
2

Find a Crisis with a Donate button and copy the link of the button. 

Step
3

The link contains a campaign_id which is the ID of the fundraiser. Take note of this ID.

Step
4

Make the following graphql request.


POST /graphql
q = nodes([fundraiserID]){owner{name,id}}

Step
5

You will see the Facebook name and userid of the facebook employee who created the fundraiser.

Timeline
.
Chris 24 Jul 2018

Initial Report

.
Facebook 24 Jul 2018

Pre-triage Thank you for your submission. We've managed to reproduce your report and will get back to you once we have had a chance to investigate.

.
Facebook 24 Jul 2018

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 03 Aug 2018

Fixed We have looked into this issue and believe that the vulnerability has been patched by using Page id as the owner of crisis fundraiser. Please let ... See More

.
Chris 04 Aug 2018

Fix confirmed Thanks for looking into this issue. Yes I confirm that the vulnerability has been patched.

.
Facebook 08 Aug 2018

Bounty awarded After reviewing this issue, we have decided to award you a bounty of $1000. Below is an explanation of the bounty amount. This could have allow ... See More

VALID






Show All Images