Sarmad Hassan

Published On: 11 Jun 2019

$3,000

Disclose Thumbnail of any video in Facebook WorkPlace

IDOR
Workplace | Web
---
MEDIUM VALID

Facebook have an option called "CANVAS" and they described it as "an immersive and expressive experience on Facebook for businesses to tell their stories and showcase their products" for more details see https://www.facebook.com/business/news/introducing-canvas

Description

When you create "CANVAS" there is some options ( components to add) like upload video, image.. etc The "POST" request that handle the upload video option was vulnerable to IDOR bug in the "video_id" parameter.

Impact

This bug allow attacker to disclose the thumbnail of any video from "Facebook Workplace" if he know the "fbid" of that video.




Reproduction Steps

Step
1

Go to any page you own ===> Settings ===>publishing_tools ===>Canvas.

you can go directly to the below link

https://www.facebook.com/[your-page-id]/publishing_tools/?section=ADS_CANVAS

Step
2

Create==> Add components==>Video==>OK==> upload any video from your machine and fill the other requirements=> Intercept with Burpsuite ===> Click on "Finish" or " Save".

Step
3

You will see post request like below

POST /v2.11/{your_Page_ID}?access_token={your_page _Access _Token} HTTP/1.1

reqName=object%3Acanvas_video&_reqSrc=AdsCanvasElementDataLoader&bottom_padding=0&locale=en_US&method=post&name=Video&pretty=0&style=FIT_TO_WIDTH&suppress_http_code=1&top_padding=0&video_id={the ID of your video}

Step
4

Replace your video_id value with victim's video id that been uploaded in facebook workplace and forward the request to the server.

Step
5

Click on the "Preview" option to send the "canvas" to your mobile devise and you will be able to see the "thumbnail" of the victim's video that posted in workplace.

Bypassing

When I was on "Step #4" I wasn't able to see the "video of victim" , so in order to bypass this, the "IDEA" of "sending the canvas to my mobile device" came to my mind ;)

Takeways:

1- you have to know your target and to check every option on it. 2- Sometimes you need to think outside the box. 3- Always make sure your bug can effect on the App.’s users or its system 4- Always focus on video and photo ID’s, there is a chance to see a flow out there 5- Most important thing “ JUST HAVE FUN” when you pentest.


Videos

Timeline
.
Sarmad 30 Mar 2018

Initial Report

.
Facebook 05 Apr 2018

Report Triaged

.
Facebook 10 Apr 2018

Bug Fixed

.
Sarmad 10 Apr 2018

Fix Confirmed

.
Facebook 03 May 2018

Bounty of $3000 awarded

VALID