Admins of pages are able to create their “Shop” and publish their products using Commerce manager https://www.facebook.com/commerce_manager/ . A malicious user is able to reveal the “Name” of the creator of a “published” MiniShopStorefront,by passing the ID of the “MiniShopStorefront “ to a misconfigured GraphQl request which could lead to a page admin disclosure.
Anyone can reveal the page admin that published a MiniShopStorefront on the shop page by abusing a misconfigured GraphQL request.
The Victim creates a commerce manager account , and he add his page then publishing products to it .
The attacker will also create a commerce manager and try to add product ( this step is only to intercept the vulnarable request) .
Now from the attacker side and after creating the Commerce and submitting /publishing the shop section, go to the “Shop” section in the menu navigation, beside the page a button will appeared “VIEW LIVE SHOP”
(See the attached image)
So intercept the request, and Click on this button .
This request will contain some information about the shop version
Attacker now , will enter to the shop of the Victim page , then he will get the shop id
( go to page source and search for :
"MiniShopStorefront","id":"ID HERE "
This is the id of the victim page that we wants to reveal its creator ( admin)
From the GraphQl request taken in step nb 3 put the victim shop id
response will be :
"revision_title": "Default revision",
"revision_creator_name": "Kassem Bazzoun ",
where revision_creator_name contain the name of the admin who create this shop
Wait !? the response is not contain the id of this user !? we have only his name!
ok take this tips, I found a way to make sure who is the admin
simply attacker will block the real admin , once he block him the response will be
"revision_creator_name": "Facebook User ",
and as you know , "Facebook User" used when an account is disabled , or when you block someone on Facebook .
so to make sure 100% who is the admin , there is some request on Facebook that's responsible to fetch the id of user based on search by name , I found a request once i search for specific name it return an array contains the id of the users who have this name
Example : if you pass the name " Mark Zuckerberg" to this request , it will return [4,id,id,id]
then in this bug , since you have the full name of the admin who create the shop , just reveal the ids of users who have this name , and start blocking each id until you found the the response will return " Facebook User"