Kassem Bazzoun

Published On: 18 Sep 2020

Reveal the page admin that uploaded a video on the page

Privacy/Authentication
Facebook | Web
---
HIGH VALID
Description

There is an endpoint in Facebook Messenger while viewing the images,videos sent between any 2 contacts (conversations) , when you click on the image (expand it) you'll find multiple options at the top of the image , where "Info" is responsible to fetch some information about the user who upload this image , this request have a parameter "node" that's contain a Base64 characters However when we put the video id directly without encoding , server will reply with the admin id , name .

Show Image

Impact

Anyone can reveal the page admin that uploaded a video on the page by editing a GraphQL request.




Reproduction Steps

Step
1

We want to get the endpoint that responsible to fetch some information about image sent in the conversations in Facebook Messenger so I  entered any chat , and expand any image ( click on the image) .

Step
2

 After expanding the image , we should found multiple options at the top of the image ( Download , Forward , Info ) , Intercept the request and tap on the " Info" Icon

 The request should be a POST Request to the following endpoint api/graphqlbatch

and it contains a parameter " queries " tha'ts contain the following params


{"q2":{"priority":0,"q":"Query SpotlightMessagesViewerContainerRoute {node(bWVzc2FnZV9ibG9iX2F0dGFjaG1lbnQ6MzIxNDU5NTM1ODcyOTg4) {id,__typename,@F2}} QueryFragment F0 : MessageImage {creation_time,creator {id,name,__typename},filename,original_dimensions {x,y},filesize,exif_data {iso,aperture,focal_length,model},id} QueryFragment F1 : MessageVideo {creation_time,creator {id,name,__typename},filename,original_dimensions {x,y},id} QueryFragment F2 : Node {__typename,id,@F0,@F1}","query_params":{}}}

Step
3

Looking at the "node" param , where its a BASE 64 ENCODE , I tried to decode and found that is  

 

message_blob_attachment:321459535872988

so I tried to put any post id or video id , image id  in the same way 

ENCODED_BASE64(message_blob_attachment:ATTACHEMENT_ID)

 

sending the request , but it wont work at all and that's normal since these id arent message attachement !

 

Step
4

A simple idea come to my mind ! why I'm decoding it ?! it's a node and it should accept the id without any encoding, 

so I tried puting post id within the node param , the server reply but without any private information , same way with the image id .

 

Step
5

Finally ! I puted the VIDEO ID

So , in the param node  remove the Base 64 characters , and put the video id that's uploaded on the page

....{node(VIDEO_ID) ....

Response should be 


{"q2":{"response":{"311201373640982":{"id":"311201373640982","__typename":"Video","creation_time":null,"creator":{"id":"10003---78000002","name":"James ---","__typename":"User"},"filename":null,"original_dimensions":null,"filesize":null,"exif_data":null}},"error":null}}
{"successful_results":1,"error_results":0,"skipped_results":0}

Timeline
.
Kassem 18 Aug 2020

Report Sent

.
Facebook 18 Aug 2020

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 25 Aug 2020

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Facebook 17 Sep 2020

Bounty Awarded After reviewing this issue, we have decided to award you a bounty of $----. Below is an explanation of the bounty amount. Facebook fulfills its b ... See More

VALID






Show All Images