Published On: 04 Feb 2020
Leaking support inbox of identity confirmation process between Facebook and political advertisers
IDOR
Facebook | Other
---
HIGH VALIDIn 2008 and after Cambridge Analytica breach and after identifying the Russian interference in the 2016 US elections, Facebook takes many step to ensure the integrity of political advertisements, one of these steps is the "confirmation identity" and as it sound it's for confirm the identity to run issue, electoral or political ads. "First, from now on, every advertiser who wants to run political or issue ads will need to be verified" - -Mark Zuckerberg - fb.com/zuck/posts/10104784125525891
Description
It was possible to accessing and reading these messages by changing the support case id in the Graphql request that's responsible for fetching these data .
Impact
Anyone could read Support Inbox messages associated with the ID Confirmation flow
Reproduction Steps
Step
1
Simply, this is the Graphql request an attacker was able to change the support case to any case id
Access Token : First Party Token (e.g Android Token)
fb_api_req_friendly_name : AuthenticityCorrespondenceQuery
Variables: {"id":"ANY_SUPPORT_CASE_ID"}
Credits
As usual we want to thanks Sarmad Hassan for helping us in this bug . I advice always to read his Write-Ups : https://bugreader.com/jubabaghdad *Semicolon Team * https://semicolonlb.net