Kassem Bazzoun

Published On: 04 Feb 2020

Leaking support inbox of identity confirmation process between Facebook and political advertisers

IDOR
Facebook | Other
---
HIGH VALID

In 2008 and after Cambridge Analytica breach and after identifying the Russian interference in the 2016 US elections, Facebook takes many step to ensure the integrity of political advertisements, one of these steps is the "confirmation identity" and as it sound it's for confirm the identity to run issue, electoral or political ads. "First, from now on, every advertiser who wants to run political or issue ads will need to be verified" - -Mark Zuckerberg - fb.com/zuck/posts/10104784125525891

Description

It was possible to accessing and reading these messages by changing the support case id in the Graphql request that's responsible for fetching these data .

Show Image

Impact

Anyone could read Support Inbox messages associated with the ID Confirmation flow




Reproduction Steps

Step
1

Simply, this is the Graphql request an attacker was able to change the support case  to any case id 

Access Token :  First Party Token (e.g Android Token)

fb_api_req_friendly_name : AuthenticityCorrespondenceQuery

Variables: {"id":"ANY_SUPPORT_CASE_ID"}

 

Show Image

Credits

As usual we want to thanks Sarmad Hassan for helping us in this bug . I advice always to read his Write-Ups : https://bugreader.com/jubabaghdad *Semicolon Team * https://semicolonlb.net

Timeline
.
Kassem 27 Nov 2019

Report Sent

.
Facebook 29 Nov 2019

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 09 Jan 2020

Bounty Awarded After reviewing this issue, we have decided to award you a bounty of **. Below is an explanation of the bounty amount. Facebook fulfills its boun ... See More

.
Facebook 23 Jan 2020

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

VALID