Jafar Abo Nada

Published On: 20 May 2019

$500

Disclosure of business employee identity to non business employee.

Privacy/Authentication
Facebook | Web
---
LOW VALID
Description

At the beginning of 2019, Facebook provided a "Creator Studio" service to manage the content of the pages. When examining the service, it was found that one of the End-point in this service enables the employees of the page to identify the employees of the business account https://business.facebook.com/creatorstudio

Impact

Disclosure Business Account employee's




Reproduction Steps

Step
1

first step

1. Create a page on Facebook
2. Add admin and analyst ..etc to manage the page

Step
2

second step

1 Go to "http://business.facebook.com/"
2 Create a business account
3 Link page with business account.

Step
3

Third Step:

1. Go to the link https://business.facebook.com/creatorstudio
2. Run any tools to monitor network traffic in(burp suite)
3. Go to "Page" tap https://business.facebook.com/creatorstudio/?selected_single_page_id=Page_ID&tab=settings_accounts


Note: You will see that there is a POST Request sent and the response will contain a list of all the employees of the business account https://business.facebook.com/media/manager/context_pages/?page_ids[0]=Page_ID

 

Videos

Timeline
.
Jafar 07 Feb 2019

The report was submitted

.
Facebook 11 Feb 2019

Pre-Triaged.

.
Facebook 14 Feb 2019

Needs more info and Send

.
Facebook 23 Feb 2019

Needs more info and Send

.
Facebook 04 Mar 2019

Triaged.

.
Jafar 06 Mar 2019

Confirmation of fix by me

.
Facebook 12 Mar 2019

Reward paid

.
Facebook 06 May 2019

Patches were done

VALID






Show All Images