Dan Melamed

Published On: 25 Apr 2020

Internal Facebook Documents Revealed in transparency.facebook.com

IDOR
Facebook | Web
---
LOW VALID
Description

By manipulating a cms id parameter in transparency.facebook.com, I can leak internal Facebook documents.

Impact

This would allow an attacker to view information they otherwise should not have access to.




Reproduction Steps

Step
1

Visit http://transparency.facebook.com/

Using a tool such as burpsuite intercept the following POST request:

/v2-async/?cms_ids[0]=371549069990098&dpr=1.5

Step
2

Change cms_ids[0] to an id that belongs to an internal Facebook document. For example, the id (REDACTED) represents onboarding for thailand employees:

/v2-async/?cms_ids[0]=(REDACTED)&dpr=1.5

Submit the request and you'll successfully see the content of this otherwise private internal page.

Timeline
.
Dan 16 Nov 2018

Initial Report

.
Facebook 18 Nov 2018

Reproduced

.
Facebook 26 Dec 2018

Fixed

.
Facebook 15 Jan 2019

Bounty Awarded

VALID






Show All Images