Published On: 25 Apr 2020
Facebook Employee Disclosure through Crowdtangle Dashboard
Identification/Deanonymization
Facebook | Web
---
LOW VALIDDescription
I discovered a flaw that allowed me to identify the Facebook employee IDs for pages that show up in CrowdTangle dashboards such as Covid19: https://apps.crowdtangle.com/public-hub/covid19 Facebook fixed it by removing the fields that were leaking employee ids in the response.
Impact
According to Facebook: "You demonstrated that the COVID-19 dashboard on CrowdTangle leaks the names of a small subset of Facebook employees who edited it."
Reproduction Steps
Step
1
Visit https://apps.crowdtangle.com/public-hub/covid19 or any other dashboard on Crowdtangle. Select any option, for example Global and it will load the dashboard.
Step
2
Looking at the HTTP requests and you will find a POST request such as:
https://apps.crowdtangle.com/eventrecapsfb/boards/covid-19/posts/1329420/eventrecapsfb
With the following post parameters:
csrf_token=<CSRF-TOKEN-HERE>&dashboard=eventrecapsfb&dashToAuth=eventrecapsfb&filter=all&format=json&history=true&language_code=&country_code=&include_links=1&branded_content=false&is_breaking_news=true&list_id=1329420&num_posts=20&producer_type_ids=2%2C3&type=recent
Step
3
In the response look for the field admin_fb_user_id
This field leaks the account of the Facebook/Crowdtangle employee who edited the page. Some pages had an id of 0 indicating that they weren't edited.
Step
4
You can also find out the page admin id by moving your mouse over the title of the page. The transparency url will load. For example:
Moving mouse over CBC News loads the following:
https://apps.crowdtangle.com/producer/11934/get_producer_with_page_transparency?csrf_token=<CSRF-TOKEN-HERE>
In the response the field adminFbUserId also reveals the employee. The id of the page is externalId. A malicious user could enumerate all producer IDs to find pages and their corresponding admin id.