Published On: 11 Jun 2019
Facebook have an option called "CANVAS" and they described it as "an immersive and expressive experience on Facebook for businesses to tell their stories and showcase their products" for more details see https://www.facebook.com/business/news/introducing-canvas
When you create "CANVAS" there is some options ( components to add) like upload video, image.. etc The "POST" request that handle the upload video option was vulnerable to IDOR bug in the "video_id" parameter.
This bug allow attacker to disclose the thumbnail of any video from "Facebook Workplace" if he know the "fbid" of that video.
Step
1
Go to any page you own ===> Settings ===>publishing_tools ===>Canvas.
you can go directly to the below link
https://www.facebook.com/[your-page-id]/publishing_tools/?section=ADS_CANVAS
Step
2
Create==> Add components==>Video==>OK==> upload any video from your machine and fill the other requirements=> Intercept with Burpsuite ===> Click on "Finish" or " Save".
Step
3
You will see post request like below
POST /v2.11/{your_Page_ID}?access_token={your_page _Access _Token} HTTP/1.1
reqName=object%3Acanvas_video&_reqSrc=AdsCanvasElementDataLoader&bottom_padding=0&locale=en_US&method=post&name=Video&pretty=0&style=FIT_TO_WIDTH&suppress_http_code=1&top_padding=0&video_id={the ID of your video}
Step
4
Replace your video_id value with victim's video id that been uploaded in facebook workplace and forward the request to the server.
Step
5
Click on the "Preview" option to send the "canvas" to your mobile devise and you will be able to see the "thumbnail" of the victim's video that posted in workplace.
When I was on "Step #4" I wasn't able to see the "video of victim" , so in order to bypass this, the "IDEA" of "sending the canvas to my mobile device" came to my mind ;)
1- you have to know your target and to check every option on it. 2- Sometimes you need to think outside the box. 3- Always make sure your bug can effect on the App.’s users or its system 4- Always focus on video and photo ID’s, there is a chance to see a flow out there 5- Most important thing “ JUST HAVE FUN” when you pentest.