Unauthorized Disclosure of Video Thumbnails in Facebook Workplace

Introduction

Facebook introduces ‘CANVAS,’ an innovative feature offering businesses the opportunity to create immersive and expressive experiences. Designed to facilitate storytelling and product showcasing, CANVAS provides a dynamic platform for businesses to engage their audience. For more in-depth information, visit https://www.facebook.com/business/news/introducing-canvas.

The finding

When creating a ‘CANVAS’ on Facebook, various options or components are available, such as uploading videos or images. The ‘POST’ request responsible for handling the upload video option was found to be vulnerable to an Insecure Direct Object Reference (IDOR) bug specifically related to the ‘video_id’ parameter.

Exploiting this bug enables an attacker to illicitly disclose the thumbnail of any video within ‘Facebook Workplace,’ provided they possess the ‘fbid’ (Facebook ID) of the target video.

Reproduction Steps

• Navigate to Canvas Settings
  • Access your page settings by going to: Settings ⟶ Publishing Tools ⟶ Canvas.
  • Alternatively, use the direct link: https://www.facebook.com/[your-page-id]/publishing_tools/?section=ADS_CANVAS
• Create and Upload Video
  • Create a new canvas, add components, and select ‘Video.’
  • Proceed with the video upload, fulfilling additional requirements.
  • Intercept the request with Burpsuite.
  • Click on “Finish” or “Save.”
• Inspect the POST Request
  • Examine the post request generated, similar to the one below:

POST /v2.11/{your_Page_ID}?access_token={your_page_Access_Token} HTTP/1.1
reqName=object%3Acanvas_video&_reqSrc=AdsCanvasElementDataLoader&bottom_padding=0&locale=en_US&method=post&name=Video&pretty=0&style=FIT_TO_WIDTH&suppress_http_code=1&top_padding=0&video_id={the ID of your video}

• Replace Video ID
  • Replace the ‘video_id’ value with the victim’s video ID uploaded in Facebook Workplace.
  • Forward the modified request to the server.
• Preview and Capture Thumbnail
  • Click on the “Preview” option to send the “canvas” to your mobile device.

Note:

The concept of sending the canvas to my mobile device was the idea that came to my mind to bypass the thumbnail disclosure

• Observe the displayed thumbnail of the victim’s video posted in Workplace.

Timeline

• Sarmad | March 30, 2018
  • Initial Report
• Meta Bug Bounty | April 05, 2018
  • Report Triaged
• Meta Bug Bounty | April 10, 2018
  • Bug Successfully Fixed
• Sarmad | April 10, 2018
  • Fix Confirmed
• Meta Bug Bounty | May 03, 2018
  • Bounty Awarded

POC