Sarmad Hassan

Published On: 07 Jun 2019

Disclose private mockups for other users in facebook Creative Hub

IDOR
Facebook | Web
---
LOW VALID

Facebook have a feature called " Creative Hub" which is a platform designed for businesses to collaborate on ad mockups and learn and be inspired by what's creatively possible. You don't need any design skills or experience of Facebook advertising. for more details see https://www.facebook.com/business/help/230486987369480

Description

When you create a mockup, you can view it as "Desktop News Feed" or "Mobile News Feed" so you can know what will your mock up look like from other users perspective, well the "Get request" that handle "Desktop News Feed" option was vulnerable to "IDOR" bug in the "object_story_id" parameter.

Show Image

Impact

This bug allow attacker to Disclose other users private mockup ( Draft mockup) if he know the "FBID" of the story attached to the mockup.




Reproduction Steps

Step
1

From the victim account go to https://business.facebook.com/ads/creativehub and log in with your business account.

Step
2

From left side go to ==> Project ===> select on Private ===> Create Mockup button ===> select Carousel==> Fill all the required information like Title,text,image ..etc ===> Then hit save button.

Step
3

Go back to Projects ===> choose Private ===> hit the button Preview all from the upper right side.

Step
4

It will redirect you to https://www.facebook.com/ads/creativehub/preview/?act={your-account-ID}&project_access_token={your-access-token}.

Step
5

From the upper right side ===> Select on the "Gear button" ====> VIEW BY PLACEMENT ===> Intercept with Burpsuite ===> select Desktop News Feed (make sure you select on it).

Step
6

you will see a GET request like below :

GET /ajax/pagelet/generic.php/AdPreviewPageletController?dpr=1&fb_dtsg_ag=blablabla&data={"adaccountid":"your-ads-account-ID","adid":null,"appid":"1111111","creative":{"object_story_id":"557660361354544_557660471354533"},"customplaymode":null,"loadingoverlay":"shimmer","videodata":{},"format":"DESKTOP_FEED_STANDARD","borderstyle":"standard","projectAccessToken":"your-project-token","editable":false,"version":"v3.0"}&..etc

Step
7

From Attacker account repeat the above 6 steps.

Step
8

once yo get the "Get request" replace the attacker "object_story_id" with victim's "object_story_id" value which is in our case:

"object_story_id":"557660361354544_557660471354533"===> and forward the "Get request" to the server.

Now you can see the private mock up of the victim from the attacker browser (attacker perspective), also you can see all details from the response too from burpsuite as below:

* Mockup title
* Page Name
* Page-ID
* Owner-ID
* ownerName
* Description text and URL description.

 

Takeways:

* When you Test Facebook, Don't focus only on "Post" requests, you gotta keep your eyes on "Get" requests too, I'm sure one day you will see some vulnerable endpoints that lead you to a valid bug.

Videos

Timeline
.
Sarmad 18 Oct 2018

Initial Report

.
Facebook 23 Oct 2018

Report Triaged

.
Facebook 23 Apr 2019

Fixed By Facebook

.
Sarmad 24 Apr 2019

Fixed Confirmed

.
Facebook 07 Jun 2019

Bounty awarded

VALID






Show All Images