Introduction
Facebook offers a powerful feature known as “Creative Hub,” designed to serve as a collaborative platform for businesses. This tool facilitates the creation of ad mockups and provides a space for learning and drawing inspiration from creative possibilities without requiring any specific design skills or prior experience with Facebook advertising. For in-depth information, visit https://www.facebook.com/business/help/230486987369480.
The finding
When creating a mockup in Facebook’s Creative Hub, users have the option to preview it in either the “Desktop News Feed” or “Mobile News Feed.” However, the “Get request” responsible for handling the “Desktop News Feed” option was found to be vulnerable to an Insecure Direct Object Reference (IDOR) bug in the “object_story_id” parameter. This vulnerability could potentially allow unauthorized access or manipulation of the object story in the Desktop News Feed, posing a security concern for users interacting with this feature.
This bug enables an attacker to disclose other users’ private mockups (Draft mockups) if they know the “FBID” of the story attached to the mockup.
Reproduction Steps
Step 1 – Victim Account Perspective:
- Visit https://business.facebook.com/ads/creativehub and log in with your business account.
Step 2 – Victim Account Perspective:
- Navigate to Project ==> Private ==> Create Mockup button ==> Select Carousel ==> Fill in all required information such as Title, text, image, etc. ==> Save the mockup.
Step 3 – Victim Account Perspective:
- Return to Projects ==> Choose Private ==> Click “Preview all” from the upper right side.
Step 4 – Victim Account Perspective:
- You will be redirected to https://www.facebook.com/ads/creativehub/preview/?act={your-account-ID}&project_access_token={your-access-token}.
Step 5 – Victim Account Perspective:
- From the upper right side, select the “Gear button” ==> VIEW BY PLACEMENT ==> Intercept with Burpsuite ==> Choose Desktop News Feed (ensure it’s selected).
Step 6 – Victim Account Perspective:
- Observe the GET request:
GET /ajax/pagelet/generic.php/AdPreviewPageletController?dpr=1&fb_dtsg_ag=blablabla&data={"adaccountid":"your-ads-account-ID","adid":null,"appid":"1111111","creative":{"object_story_id":"557660361354544_557660471354533"},"customplaymode":null,"loadingoverlay":"shimmer","videodata":{},"format":"DESKTOP_FEED_STANDARD","borderstyle":"standard","projectAccessToken":"your-project-token","editable":false,"version":"v3.0"}&..etc
Step 7 – Attacker Account Perspective:
- Repeat Steps 1-6.
Step 8 – Attacker Account Perspective:
- Once you obtain the GET request, replace the attacker’s “object_story_id” with the victim’s “object_story_id” value (e.g., “object_story_id”:”557660361354544_557660471354533″) and forward the GET request to the server.
Now, the attacker can view the private mockup of the victim in the attacker’s browser. Additionally, details such as Mockup title, Page Name, Page-ID, Owner-ID, ownerName, Description text, and URL description can be observed in the response from Burpsuite.
Timeline
Sarmad | 18 Oct 2018
- Initial Report
Meta Bug Bounty | 23 Oct 2018
- Report Triaged
Meta Bug Bounty | 23 Apr 2019
- Fixed By Meta Bug Bounty
Sarmad | 24 Apr 2019
- Fix Confirmed
Meta Bug Bounty | 07 Jun 2019
- Bounty Awarded