Rony K Roy

Published On: 11 Aug 2020

$500

Page analyst could view job application details

IDOR
Facebook | Web
---
LOW VALID
Description

According to this documentation (link given below ) only page admins, editors and job managers are allowed to view job application details of the users. https://www.facebook.com/help/289207354498410

Impact

This could have allowed a malicious page analyst ( who previously had admin access on the page ) to disclose job application details of the users.




Reproduction Steps

Step
1

Setup

  • PageOne 
  • PageTwo
  • UserOne Admin of the page PageOne
  • UserTwo Admin of the page PageOne, PageTwo
  • UserThree Victim

Step
2

Login as UserTwo

Go to PageOne,Create a job post (JobPostOne)

Go to PageTwo,Create a job post (JobPostTwo)

Step
3

Login as UserOne

Browse to PageOne/Settings/PageRoles

Change UserTwo's role to Page analyst.

Step
4

Login as UserThree

Go to PageOne/Jobs/JobPostOne

Apply 

Step
5

Login as UserTwo

Go to PageTwo/Inbox

Open any chat thread.

Add activity> Appointment Booked 

Click Add details & intercept the request

Find 'Variable' parameter

Change PageID to Page ID of PageOne

Change UserID to User ID of UserThree

Send forward the request 

On response, You can see that UserThree has applied for JobPostOne 

 

Step
6

Inorder to view the job application details of UserThree 

Go to PageTwo/Manage Jobs

Open any job applications and intercept the request

Replace JobApplicationID with JobApplicationID of UserThree

Forward the request 

 


Videos

Timeline
.
Rony 08 Sep 2019

Submitted

.
Facebook 12 Sep 2019

Triaged

.
Facebook 17 Sep 2019

Fixed

.
Facebook 22 Sep 2019

Bounty Awarded After reviewing this issue, we have decided to award you a bounty of $500. Below is an explanation of the bounty amount. Facebook fulfills its bo ... See More

VALID