Published On: 22 May 2019
De-anonymizing Page Admin that Created the Event
Privacy/Authentication
Facebook | Web
---
LOW VALIDDescription
This vulnerability could allows a malicious user to identify the page admin who created a Page event. This is possible because the facebook ID of the page admin is being leaked as part of the response of the endpoint "/events/dialog/edit/page/?event_id=EVENT_ID&acontext=0"
Impact
It discloses the page admin's personal identity to someone outside the Page.
Reproduction Steps
Step
1
Setup
===
PageA - target Page
Alice - admin on PageA; id = 111111
Dance Party - event hosted by PageA; created by Alice; event id = 999999
PageB - Page owned by Charlie
Charlie - attacker; admin on PageB;
Step
2
Alice added PageB as co-host on "Dance Party" event.
Step
3
As an admin of PageB, Charlie accepted the invitation.
Step
4
Charlie opens the browser's Dev Tools. He runs the following AsyncRequest on the Console tab.
new AsyncRequest('https://www.facebook.com/events/dialog/edit/page/?event_id=999999&acontext=0').send()
This should run without any error and should return "true".
Step
5
Charlie checks the response by switching into Network tab.
Step
6
Charlie copied the whole response and pasted it into a text editor or an online JSON formatter.
Step
7
Charlie search for the string "accountID" (without the quotes). The numeric value after the "accountID" is the Page admin's ID who created the event.
Videos